Skip to main content

Search Operators

Search operators process data in meaningful ways and provide logic to queries. This page lists the available search operators in the Sumo Logic search query language.

In this section, we'll introduce the following concepts:

icon

accum

The accum operator calculates the cumulative sum of a field. It can be used to find a count by a specific time interval and a total running count across all intervals.

icon

as

The as operator, typically used in conjunction with other operators, can also be used standalone to rename fields or to create new constant fields.

icon

ASN lookup

Use this to look up an Autonomous System Number (ASN) and organization name by IP address.

icon

backshift

The backshift operator helps you compare values as they change over time.

icon

base64Decode

The base64Decode operator takes a base64 string and converts it to an ASCII string.

icon

base64Encode

The base64Encode operator takes an ASCII string and converts it to a base64 string.

icon

bin

The bin operator assigns output results to user defined bins.

icon

cat

You can use the cat operator to view the contents of a lookup table. Not supported in auto refresh dashboards or scheduled searches.

icon

CIDR

Sumo Logic's three CIDR operators work with Classless Inter-Domain Routing, notation to narrow the analysis of IPv4 networks to specific subnets.

icon

compare

The compare operator can be used with the Time Compare button in the Sumo UI, which generates correct syntax and adds it to your aggregate query.

icon

concat

The concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field.

icon

contains

The contains operator compares string values of two parsed fields and returns a boolean result based on whether the second field's value exists in the first.

icon

decToHex

The decToHex operator converts a long value of 16 or fewer digits to a hexadecimal string using Two's Complement for negative values.

icon

dedup

The dedup operator removes duplicate results. You have the option to remove consecutively and by specific fields.

icon

diff

The diff operator calculates the rate of change in a field between consecutive rows.

icon

fields

The fields operator allows you to specify which fields to display and their order in the results of a query.

icon

fillmissing

The fillmissing operator allows you to specify groups that should be represented in data output.

icon

filter

Use the filter operator to filter the output of a search based on the filtering criteria of a child query.

icon

format

The format operator allows you to format and combine data from parsed fields.

icon

formatDate

The formatDate operator formats dates in log files as a string in a different format, such as U.S. or European date formatting.

icon

Geo Lookup (Map)

With the Geo Lookup (Map) operator, Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map.

icon

geoip

With the geoip operator, Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map chart.

icon

hash

The hash operator uses a cryptographic hash algorithm to obscure data into a random string value.

icon

haversine

The haversine operator returns the distance between latitude and longitude values of two coordinates in kilometers.

icon

hexToAscii

The hexToAscii operator converts a hexadecimal string to an ASCII string.

icon

hexToDec

The hexToDec operator converts a hexadecimal string of 16 or fewer characters to a long data type using Two's Complement for negative values.

icon

if, ?

The if and ? expressions are used to evaluate a condition as either true or false, with values assigned for each outcome.

icon

in

The in operator returns a Boolean value: true if the specified property is in the specified object, or false if it is not.

icon

ipv4ToNumber

The ipv4ToNumber operator converts an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format.

icon

isNull, isEmpty, isBlank

The isNull operator checks a string and returns a boolean value, isEmpty if a string contains no characters, and isBlank if a string contains no characters, is only whitespace, and is null.

icon

isNumeric

The isNumeric operator checks whether a string is a valid Java number.

icon

isPrivateIP

The isPrivateIP operator checks if an IPv4 address is private and returns a boolean.

icon

isPublicIP

The isPublicIP operator checks if an IPv4 address is public and returns a boolean.

icon

isReservedIP

The isReservedIP operator checks if an IPv4 address is reserved as defined by RFC 5735 and returns a boolean.

icon

isValidIP, isValidIPv4, isValidIPv6

The isValidIP operator checks if the value is a valid IP address. The isValidIPv4 and isValidIPv6 operators check if the value is a valid IPv4 or IPv6 address, respectively. 

icon

join

The join operator combines records of two or more data streams.

icon

jsonArrayContains

Use the jsonArrayContains operator to determine whether a JSON array contains a particular item.

icon

jsonArraySize

Use the jsonArraySize operator to determine the size of a JSON array.

icon

length

The length operator returns the number of characters in a string.

icon

limit

The limit operator reduces the number of raw messages or aggregate results returned.

icon

lookup

The lookup operator returns one or more fields from a lookup table hosted by Sumo Logic and add the fields to the log messages returned by your query.

icon

lookup (Classic)

The lookup (Classic) operator maps data in your log messages to meaningful information saved in Sumo or on an HTTPS server.

icon

lookupContains

Use the lookupContains operator to determine whether a key exists in a lookup table. It will return a boolean value.

icon

luhn

Uses Luhn’s algorithm to check message logs for strings of numbers that may be credit card numbers and then validates them.

icon

Manually cast data to string or number

Most data in Sumo Logic is stored as a string data type. Metadata fields are stored as string data and parsed fields are by default parsed as string type data.

icon

matches

The matches operator can be used to match a string to a wildcard pattern or an RE2 compliant regex.

icon

now

The now operator returns the current epoch time in milliseconds.

icon

num

The num operator converts a field to a double value, which is twice as accurate as a float value.

icon

outlier

The outlier operator identifies values in a sequence that seem unexpected and would trigger an alert/violation.

icon

predict

The predict operator ses a series of time-stamped numerical values to predict future values.

icon

queryEndTime()

The queryEndTime() operator returns the end time of the search time range in milliseconds.

icon

queryStartTime()

The queryStartTime() operator returns the start time of the search time range in milliseconds.

icon

queryTimeRange()

The queryTimeRange() operator returns the time duration for the query being executed in milliseconds.

icon

replace

The replace operator allows you to replace all instances of a specified string with another string.

icon

rollingstd

The rollingstd operator finds the rolling standard deviation of a field, allowing you to identify changes over time.

icon

save

The save operator allows you to save the results of a query to a lookup table you've already created.

icon

save (Classic)

The save (classic) operator works with the classic Lookup Tables feature.

icon

sessionize

The sessionize operator uses an extracted value from one log message to find correlating values in log messages from other systems.

icon

smooth

The smooth operator calculates the rolling (or moving) average of a field, measuring the average of a value to "smooth" random variation.

icon

sort

The sort operator orders aggregated search results.

icon

substring()

The substring operator allows you to specify an offset that will output only part of a string, referred to as a substring.

icon

threatip()

The threatip() operator correlates CrowdStrike's threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.

icon

timeslice()

The timeslice operator aggregates data by time period, so you can create bucketed results based on a fixed interval.

icon

Timeslice Join Results

When you gather data using a join operator, you can slice data by time period using the timeslice operator.

icon

toLowerCase, toUpperCase

The toLowerCase operator takes a string and converts it to all lower case letters.

icon

top

Use the top operator with the sort operator to reduce the number of sorted results returned.

icon

topk

The topk operator allows you to select the top values from fields and group them by fields.

icon

total

The total operator inserts the sum of a set of fields into every row of the set.

icon

tourl

The tourl operator provides you the ability to assign a short name that describes the URL.

icon

trace

The trace operator acts as a highly sophisticated filter to connect the dots across different log messages.

icon

transpose

Similar to a Pivot Table in Excel, the transpose operator allows you to take a list and turn it into a table in the Aggregates tab.

icon

trim()

The trim operator eliminates leading and trailing spaces from a string field.

icon

urldecode

The urldecode operator decodes a URL you include in a query, returning the decoded (unescaped) URL string.

icon

urlencode

The urlencode operator encodes the URL into an ASCII character set.

icon

where()

The where operator allows you to filter results based on a boolean expression.

Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.