Search Query Language
In this section, we'll introduce the following concepts:
Search Operators
Available search operators in the Sumo Logic search query language.
Parse Operators
Sumo Logic provides a number of ways to parse fields in your log messages.
Math Expressions
Use general mathematical expressions on numerical data extracted from log lines.
Group or Aggregate Operators
Evaluate messages and place them into groups.
Field Expressions
Overview of the expressions that create user-defined numeric, boolean, or string fields.
Transaction Analytics
Find and group related log data.
Syntax style
Sumo Logic search query language syntax is written in the following styles.
Code Font
Search syntax, queries, parameters, and filenames are displayed in Regular Code Font
.
Required and optional arguments:
- A required argument is wrapped in angle brackets
< >
. - An optional argument is wrapped in square brackets
[ ]
.
Example:
| parse [field=<field_name>] "<start_anchor>*<stop_anchor>" as <field> [nodrop]
The required arguments are <start_anchor>
, <stop_anchor>
, and <field>
.
The optional arguments are [field=<field_name>]
and the [nodrop]
option.
One or more arguments:
- An argument that can be specified more than once has an ellipsis ... to indicate where you may add additional arguments.
Example:
concat(<field1>, <field2>[, <field3>, ...]) as <field>
Here's a step-by-step tutorial about creating Sumo Logic queries.
For a collection of customer-created search queries and their use cases, see the Community Query Library.