Search Query Language

In this section, we'll introduce the following concepts:

icon showing magnifying glass hovering over a data symbol

Search Operators

Available search operators in the Sumo Logic search query language.

Parse Operators

Sumo Logic provides a number of ways to parse fields in your log messages.

Group or Aggregate Operators

Evaluate messages and place them into groups.

Field Expressions

Overview of the expressions that create user-defined numeric, boolean, or string fields.

Math Expressions

Use general mathematical expressions on numerical data extracted from log lines.

Transaction Analytics

Find and group related log data.

Syntax style

Sumo Logic search query language syntax is written in the following styles.

Code Font

Search syntax, queries, parameters, and filenames are displayed in Regular Code Font.

Required and optional arguments:

A required argument is wrapped in angle brackets < >.
An optional argument is wrapped in square brackets [ ].

Example:

| parse [field=<field_name>] "<start_anchor>*<stop_anchor>" as <field> [nodrop]

The required arguments are <start_anchor>, <stop_anchor>, and <field>. The optional arguments are [field=<field_name>] and the [nodrop] option.

One or more arguments:

An argument that can be specified more than once has an ellipsis ... to indicate where you may add additional arguments.

Example:

concat(<field1>, <field2>[, <field3>, ...]) as <field>

Micro Lesson

Here's a step-by-step tutorial about creating Sumo Logic queries.

sumo

For a collection of customer-created search queries and their use cases, see the Community Query Library.