so want to welcome everybody to today's

webinar today we're going to be

discussing sumo logic and more

specifically similar logic QuickStart so

how do you get you guys up to speed in

the understanding of how to use sumo

logic some of the features today's

webinar is going to be a combination of

some PowerPoint slides certainly some

in-app demos and if you guys have

questions if you want to go ahead and

post them into the chat window we can go

ahead and try to answer those so let's

go and get started so here we go so what

are we going to be discussing today so

we're gonna be discussing sumo logic and

more specifically becoming a sumo pro

user this information today is going to

correspond with our certification level

one we've recently launched a

certification program that currently

consists of three different levels

today's class will be level one and as

you all have registered for this webinar

I'm sure you saw the links to register

for the other ones and we certainly

encourage you to do so to expand your

Summa logic knowledge what are we going

to specifically be talking about over

the next hour or so so these are gonna

be the five steps to becoming a sumo Pro

user and we're going to discuss these

throughout the session today so how is

similar logic help me

you now have similar logic access and

how do you use it to benefit you and and

make sure that you can go ahead and view

that content that's going to be relevant

to you what data is available so I can

analyze certainly you now have access to

system and now you need to understand

what is there that you can go ahead and

look at and we'll show you some ways to

see what data is been essentially loaded

for you how can I search parse and

analyze my data so now you have all this

data available to you and you need to go

ahead and analyze it and so we're going

to take a look at some of the search

mechanisms some parsing and analyzing a

query language that will allow you to

essentially take your diet data and

slice it and dice it to a way that's

going to make sense to you and any users

that might need to look at that data how

can I monitor my trends and critical

events so certainly we want you to be

able to take advantage of sumo logic to

be able to go ahead and do those type of

things to see trends

look at patterns and potentially even

prediction models and outliers to see

what's going on with your trends and

with the monitoring one of the cool

things of that Summa logic is you have

the ability to set up alerts so that you

can be notified of events that are

taking place when you're not in Summa

logic we certainly don't want you to

have to be logged in 24/7 staring at a

screen waiting for an event to occur

will show you some ways that you can

integrate with email or web hooks so you

can that get a notification when these

events occur and then where do I go from

here so certainly we're going to give

you a fair amount of knowledge over the

next hour so and then you know what are

the next steps how do you go ahead and

continue and advance your knowledge of

sumo logic so let's go ahead and dive in

here there's going to be a corresponding

tutorial that has some hands-on

exercises that we would encourage you to

go through we'll be looking at most of

those today I'll be kind of covering the

tutorial steps but we would certainly

encourage you to go ahead and do this on

your own time and you know actually get

the hands-on experience so this is the

content the information that's going to

be necessary to log into those training

environments and you couldyou I'll show

you how you can access this link so you

don't have to go ahead and write this

down or take a screenshot if you don't

need to Oh question so you're certainly

going to have questions after today we

have a very thorough documentation and a

community forum that are going to be

great for you to get some assistance

with answers so we would encourage you

to go ahead and attend or join the

community and you can also have a live

conversations with our community via

slack so I'll go ahead and point those

out later as well but did one just I'll

show you where those exist and then

finally based on theme note that we're

going to provide you today this is going

to be enough content and information for

you to be able to go ahead and take our

first exam so the level 1 exam

sumo pro user as you can see here this

is some of the on the right-hand side of

the screen we have the preparation which

is going to be the QuickStart webinar

which we're about to do and the tutorial

which I just referenced a few moments

ago and so this will be a great you know

opportunity for you to go ahead and

prove that you've have that similar

knowledge experience for yourself and

for your organization so it would

certainly encourage you to take the

exams at a later time so let's go ahead

and dive in so how does zoom

Jake help me you now have this system

how do you get to do something and to

take advantage of the service so what

I'm gonna do is I'm actually gonna start

with a demonstration so let me go ahead

and just switch screens here and I'm

gonna actually start with this grate

over here and so what I want to show is

a demonstration and we're gonna go

through the scenario of using our

fictitious company called travel logic

and what this organization does is is a

travel agency so similar to if you go to

a website like Expedia or any of those

popularize sites and you would go in

booked a car booked a flight

compare prices I think you guys have all

experienced that at some point and

that's gonna be with the site we're

going to use for today's scenario so I

could go in here and start cookbook a

flight and you know look for hotel and

all that I'm not going through just to

save a few moments of time because I'm

sure you have all experienced this

interface before but I want to start

with a scenario here so I get a call I'm

a an Operations individual and I get a

call from him someone in upper

management and he said hey we're getting

reports that people cannot check out on

travel logic as a result of they can't

check out they can't pay for their

tickets they can't book their travel

certainly a problem for them and a

problem for us as an organization

because if they can't book travel we

don't get paid so that's certainly a

scenario that is going to be a problem

for organizations so at this point I

know this information that people can't

check out so that's the piece of

information I know at the same time

though I get a slack message and what

this flack message is showing me is a

monitor alert and it says critical on

travel app hinode CPU so that's

interesting I know that or I've received

a phone call from somebody that said hey

people can't check out so I have that

piece of information and now I have a

piece of information that seems that

there's a high CPU related to the travel

app and those are the two pieces of

information I know and so now I need to

go ahead and start to do some detective

work and figure out what's going on and

more importantly how to resolve it and

so that's where I'm gonna go ahead and

start to use uma logic to help me so let

me go ahead and switch windows here

and I'm gonna jump into my travel logic

operational overview so at this point

what I'm looking at is a dashboard that

I've created that is going to allow me

to look at different operational events

and so what we're able to see here for

example and even if we don't know the

technical details on what these things

are just by taking a glance at these we

see reporting nodes you know they're

certain reporting so that's a good sign

and we see these green indicators that

there's no errors and so in this case

Green is good contrast ly red is bad and

so we see here we see that the response

times are a little bit higher than what

we would expect and more importantly the

check out service has produced about

4,000 errors in the last 60 minutes well

I know there's a or I believe there's an

issue with the check out service and

this is kind of confirming that there

have been a bunch of errors or

specifically about 4,000 of them in the

last 60 minutes so this gives me a

starting point to start to dig in and

now I want to go ahead and continue

digging in seeing what what's going on

and more importantly can I resolve it so

I'm gonna go ahead and click on this

icon here which is going to show in the

search basically I'm taking this panel

the dashboard I'm just gonna expand it

out and so now what I'm looking at are

the service details related to watch I

have a logic website and so I'm going to

go through some of the panels on this

dashboard view so over here we have our

list of our reporting on bookings and we

have our successes and fails and we see

here things were very successful at a

twenty people were able to book a thirty

eight forty fifty so on and then read

about look about eight fifty seven or so

our successful bookings dropped and we

have a bunch of fails which is well that

seems to be a problem so we're looking

at this occurred at about 856 so okay

that's interesting at about 856 things

seem to switch over so to speak to going

bad and let's take a look at some other

panels here and see if this corroborates

our information or or helps in any way

if we look at this errors live for the

last seven days we see there are a

couple errors a few days ago we see that

there were errors some three days ago

some errors yesterday and then we

see there was a space where there were

no errors at all over the last seven

days and then once again about 855 or so

there started to be errors today so that

seems to kind of be in sync with the

time so it looks like maybe about 855

this or so something went a little brawl

or at least ever started to be reported

if we go ahead and look further down

here errors by node we're only going to

go ahead and discuss on a little bit

source name but if I mouse over these I

can see that there were errors related

to the CS team dot travel - check out so

that's interesting there appears to be

errors specifically related to this

section so that's good to know

if I go over here and look at gateway

latency what I have here is a

essentially a threshold and an outlier

graph that's showing the information and

so what I'm what I'm able to interpret

from this is a our gateway latency was

determined to be within a certain

threshold range and as long as it's in

that range it would be considered to be

flat which is good so that things were

humming along as they should be and then

at about 855 or so we see that the

Gateway latency jumped up and we see

these pink triangles that represent

outliers and so basically we were or the

system was expecting some sort of norm

and then at about 855 856 the latency

went outside that norm okay that's

interesting as well and then finally we

have our CPU and total memory panel up

here and what we see here is if we look

at this at about you know this 8 o'clock

856 time or so we see a increase in or

start to see a spike in some of the

information in here and so we know that

due to the slack message I received that

something related to the CPU was was

high we don't know why it was high but

we also just know that the two pieces of

information seem to occur around the

same time check outs fails I started to

occur and spikes in CPU usage started to

occur as well so what we're going to do

is I'm going to drill into the CPU in

total memory because this is the one

piece of information I know where I can

start to look at something a little more

specifically since I had that slack

message that

help point me in this direction so I'm

going to go ahead and drill in here and

so now what I'm looking at is a metrics

view that is showing information about

CPU and total memory usage and so right

here we see the CPU information and we

see the memory usage information and so

we see both of these pieces of

information within this graph and so I

don't really need to look at the memory

usage because the slack message I

received indicates something was up

related to the CPU so I'm going to go

ahead and click on this guy and just

essentially turn off or comment off the

memory usage since it's not really

relevant for me at this time and so what

I'm looking at now is the CPU usage and

so if we still see those spikes once

again about this 856 time and so what I

want to do is right now I'm looking at

metrics and I want to go ahead and look

to identify why things were going on

with the metrics those are helping me to

identify what was going on and in this

case what was going on was increased CPU

usage but like I said I want to see why

it was going on so what I'm going to do

is I'm going to start to overlay some of

my logs and so I can look at essentially

a unified logs and metrics environment

so I'm going to go ahead down here and

start to define the logs that I want to

take a look at and if you remember I was

looking at source category CS travel I

see his team travel check out so I'm

gonna go ahead and start to look at

those logs I'm also gonna look more

specifically in the logs rather than

looking at all the logs together I want

to look for errors that occurred within

the logs so I'm gonna go ahead and look

for the keyword of error errrr and I'm

gonna hit enter and what's gonna happen

now is I'm gonna have a you know that

unified log of metrics environment that

I was just for everything and I'm going

to see the log information up here so

what I'm looking at right now at the

very top in this orange bar is

essentially a heat map which is showing

the information related to this log

information and so what I see here is

prior to this 855 time or so there were

actually no messages that had the string

of error in it

however at about 855 or so then we

started to see some errors our logs and

the orange bar represented up here is

kind of color sensitive so the lighter

the color the less frequent the message

is emits why there prior to 855 there

are actually no messages and why the bar

is white or blank but as we see here the

four start to be an increase in messages

so what I'm going to do is I'm going to

go ahead and look at the logs related to

one of these time slices as we call them

these are essentially one minute chunks

right now of time and I'm going to take

a look at those logs and see if I can

see in the logs why things were haywire

so to speak so I'm gonna go ahead and

click on the heatmap the time slice and

I'm gonna do a shift click and that's

going to go ahead and open the logs now

in the log browser and so what I'm

looking at now is all the errors that

occurred with the travel check out

source category and so this is giving me

all these errors and as I see here there

were about 300 errors during this one

minute chunk and so I could see some of

these errors here and if I look at them

I see access denied

I see an error down here related to the

SSL server certificate so that's

interesting I'm seeing the errors but

I'm not seeing what caused them yet and

that's really what's going to be most

important to me and more importantly

gonna help me identify how to solve the

problem so I'm going to do two things at

this time the first is I'm going to

expand my search out so rather than just

looking for errors I'm gonna look for

all the events that occurred in these

logs I'm going with the idea that

something caused all these errors but

what caused the error would may have not

necessarily been an error itself so I'm

just basically expanding my search out

the other thing I want to do is I want

to expand my time search out so right

now I'm looking at a one minute chunk of

time where I know there were errors but

kind of using the same idea with

expanding or removing the error string I

want to go ahead and span my time out

because I for this minute segment I know

that there are errors but I'm looking to

see what caused this hour so I'm gonna

go ahead and expand my search and look

at the last 60 minutes and so what I'm

doing now is I'm looking at the logs for

the travel check out source category

which is a naming convention that's used

for to identify the data and now I'm

able to view all the logs that occurred

over

like I said less 60 minutes and I see

there's about 57,000 locks which is you

know a fair amount and now I've could go

ahead and start to scroll through these

and look at 2200 pages of logs but

that's really not an efficient use of

time and as I'm looking at through these

messages of logs I do see that some

successful events occurred so I see here

the checkout service did occur and you

know I see some of those in here and

then I see some error so I'm still look

at this point I'm looking at a mixture

of all my information and so like I said

I can go ahead and start to scroll

through 2,200 pages of data but that's

just not sensical in any way and since

you're using similar logic you can start

to take advantage of some of the

features we have in there and one of the

features is advanced analytics and

particularly the log reduce option and

I'm gonna go ahead and click on log

Rives and when I do what's going to

occur is essentially it's gonna take all

those messages so approximately I was

about 58,000 messages and look at them

and look for pattern recognition

essentially and distill the messages

down into patterns that make sense so

it's gonna take all those messages and

combine them down into hopefully just a

fair handful of messages so I'm just

gonna let this finish we'll just take

another moment it's just about done now

and so what I see at the very top is

there were 7,000 are about 8,000

messages that match this pattern and so

this is actually although I know that my

service so I know kind of what to expect

here these are a good sign because these

have a transaction ID so this is kind of

an indication that those check ups did

occur here we see starting cart checkout

process and those are all kind of good

indicators but down here we see some

errors and we see about 1,500 of them

1,500 of these as well and so I'm in the

search mode of trying to find out once

again what caused these errors and so

what I want to look at is I want to flip

these patterns around so rather than

looking at events that occurred 8,000

times 7,000 times I want to look for

events that were probably more singular

or maybe less frequent my thinking or my

hypothesis being something caused those

errors and it was probably a singular

event

a bit of a leap but since I've done this

demo a few times I can make that

assumption so what I'm going to do is

I'm simply going to flip my count around

so rather than looking at the most

frequent I'm gonna look at the less

frequent and what I see right away is

this first line right here and what I

see is travel logic app starting cluster

the checkout service and I see version

1.1 for dev well this was a production

system and development code was loaded

on it and as a result that's what caused

these errors so somebody made a human

error let's say and just list loaded the

wrong set of code and that caused the

SSL Certificates to fail and as a result

that caused the checkout service to fail

and kind of tada so what I wanted to

show here is taking sumo logic and using

it to certainly your advanced of course

and using it to troubleshoot and so I'm

gonna go ahead and jump back into slide

deck to kind of Rica highlight or review

what we just did so let me go and grab

that slide there we go so what we did in

this demo was monitoring troubleshooting

and we looked at three different phases

of that the first part was we looked at

the alerts so we looked at notifications

of critical events in this case we saw a

slack message as an indication that an

event had occurred and we were able to

go into the dashboard and use that view

and kind of a simplistic view in a good

way to identify something taking place

where we were just able to go into the

dashboard and see read bad Green good

and go ahead and help you know start to

drill down and see what was going on

another component of what we did was

using metrics to identify what's going

on so we were able to ingest our

hardware information and bringing that

CPU usage that memory usage certainly

there are other metrics that can be

brought in but we were able to use those

and identify what was going on and the

what was the increased CPU CPU usage and

then I was gonna say more importantly

but if equal importance we were able to

use the logs to identify why it was

happening and so we were able to take

all that and put it together and

ultimately identify the issue and so

that's what I wanted to demonstrate

right there

so it's going to want to show another

couple slides here and then we'll go

back

to some demonstrations the sumo logic

dataflow certainly want you to guys to

understand how the dataflow works with

similar logic and so these are split up

into three different areas the first one

would be data collection so you're going

to be using collectors to bring your

sets of data into similar logic will go

over collectors and in a brief view and

in just a moment but the the short

version of this story is essentially

your data needs to be brought into sumo

logic which I think makes sense

once the speranza sumo logic then you

can start to search and analyze that

data in step number two so now your data

resides in sumo it's sitting there and

now you need to do something with it

so you're going to use operators to go

ahead and start to dig through that data

and pull out the things that are

important to you you'll be able to use

to charge to represent kind of that

visual component of what's going on with

your data and that's going to be a great

way to analyze you know what's taking

place and then finally visualizing and

monitoring is that alerts and dashboards

component and so the idea there is that

even if you don't know your set of data

strongly or or you want somebody else

outside your team to be able to take a

look and see what's going on these

dashboards are going to be a great way

to add a glance see what's taking place

and so you could have vision putting

those up in a knock or a command center

so that at a glance you could say oh you

know everything's green that's good oh

something's red that's bad and even if

like I said if you don't know your data

that well just using that kind of color

scheme you can help identify what what's

taking place and then the alert

component as well as ghosts hand-in-hand

where you can be notified outside of

sumo logic so as I mentioned earlier at

the start of the call ideally we don't

want you just sitting in sumo logic

staring at a dashboard 24/7 so with the

alerts you can still be notified of

critical events and as you define those

events to be critical and then you can

go ahead and take action on them and

then log in to Samoan and start to do

your troubleshooting or searching and

analyzing to see what's taking place

another slide here regarding sending

data to sumo logic I don't want to get

too bogged down into the details of this

we will cover this in more specific in

level three and actually setting up the

different collectors but what I want to

show you here is really

the variety of different ways that data

can be ingested into Summa logic and so

really the the summation here is there's

a bunch of different ways and as long as

data is out there and is readable by a

human it can be ingested in Summa logic

and we can treat it and handle it

perfectly so there's a variety from

environments that can be brought into

Summa logic maybe you're using clouds in

services Amazon and using a cloud watch

or a cloud trail or any of those popular

ones an s3 bucket can be go ahead and

bring that data into sumo logic maybe

you're going to use an HTTP connection

maybe you can bring your information via

syslog and you'll have the ability to

install these collectors or actually

just point your data to them to the

collectors depending on if you're using

a cloud watch or the s3 properties or

not but like I said we cover this a

little more in more detail in level 3

but just for today I think it's just

important to note that you know wherever

your data is out there it can be brought

into Summa logic and then metadata I've

alluded to metadata a couple times

already but we haven't really discussed

what it is and it's certainly important

that you understand how what is and how

it's used

so metadata are going to be tags that

are associated with each log message so

essentially you have all these logs out

there and you're going to bring them

into Summa logic and then you need a way

to sort through them or look through

them and you're going to use some sort

of identification method to do so and so

there's going to be some that are

essentially pre-built or pre labeled so

you might want to go ahead and search

for your data based on the name of the

collector which would be that piece of

software then would be installed that

would be grabbing your data and bringing

it to similar logic you might use the

source source name so I believe we just

used the source name in our demo so

that's a way oh you know another option

to go ahead and identify your data and

allow somebody to search through it and

then finally there's going to be a

source category and this is what we're

going to recommend you be used and it's

gonna be freely configured which is

really where it's gonna help we'll go

ahead and take a look at some source

categories in just a few moments in the

demo but the way it's going to be used

is to identify that data and by

providing a good naming convention it's

going to make

get really easy for your users to locate

their data so rather than looking for

data on system 28:49 they could go ahead

and look specifically for production

Apache data for example and we'll use

that Apache example throughout the rest

of today so that's why I bring it up now

so these are going to be typically

configured you when the data is ingested

these will the source category

specifically will be set up at that

point we would recommend a good naming

convention so that it's something that

you can add a glance recognize where

what that data consists of we would

cover the naming conventions in level

three so if you're interested in want to

learn more about proper naming

conventions best practices things like

that I will discuss that in a future

webinar so let's go ahead and take a

look at what data can I analyze so you

now have access to Summa logic and you

want to see what data is out there for

you and so now let's go ahead and dig

into there there's actually many two

ways to do so and I'll go ahead and demo

demonstrate those right now and so let's

go ahead and look at them so the first

one is going to be exploring your

collectors and so let me show you in app

what that looks like so let me just find

my window here so what I've done now is

I've logged into sumo logic hopefully

you guys have seen this environment

before but if you haven't this is the

first time you would when you log in you

would be brought to this home page we'll

go over some of the tabs in a little bit

but I'm gonna go ahead and just start

the dive in here and show you where the

information regarding the data that you

want to analyze can be found so the

first way you can go ahead and do so is

to actually look at the collectors that

are available to you and so to do so I'm

going to go to manage data and I'm going

to go to collection and what I'm going

to see are all the different collectors

which are those pieces of software

essentially that are grabbing the data

and now I can go ahead and view it and

so for example let's say I want to look

at patchy data which as I mentioned

earlier is what we'll be using today I

can go ahead and just type a patchy and

I'm going to see all the different

sources of Apache data that are

available and so I can go ahead and

to grab one of these and dig in and

analyze them and I'll show you how to do

that through the source queries in a few

moments so that's one way to see what's

available to you the other way is you

can just simply create a query on your

own so I'll to do so I'm gonna go ahead

and click on new and I'm gonna do a new

log search and I'm gonna have my query

window up here and I'm gonna go ahead

and just enter a very simple query first

I'm gonna go ahead and enter the star

which is gonna represent that I want to

look at all my data and then I'm going

to add a new line and I'm gonna use a

pipe to recognize that that's a new line

and I'm gonna do a count by source

category and so now what I'm looking at

is pretty similar to the information I

was looking at in the collection window

but just a different view of it and so

here I see all the different source

categories that exist and I see a count

for the amount of messages that have

occurred in those logs for the last 15

minutes so we're looking at a 15-minute

chunk of time and so I see here you know

there were certainly a lot of semantic

firewall logs and a lot of Cisco logs

not too many pager duty and you know you

can certainly just get a feel for where

or what's making up a large percentage

or data if I look down here I see labs

Apache access representing 54,000 log

messages and like I mentioned earlier

this is the source category that we're

gonna go ahead and use for today so

that's an easy way that you can go ahead

and see what data is available for you

let's go ahead and jump back into the

PowerPoint sorry I keep doing that

here it is and so now how can I anima

analyze my data so now you've you've

gone ahead you've you found the source

category you want to go ahead and start

to go ahead and analyze that data so how

do you do so so variety of different

ways to do so in the system I'm going to

show you a couple right now so I'm gonna

go ahead and jump back into actually

I'll show you a couple slides and then

we'll do in app so one way is you can

simply see what other people have done

within the environment so you can look

for a shared content so basically I can

go ahead and see has anybody else looked

at the set of data have they created

queries or dashboards that might be

valuable to me and to do so I'm gonna go

ahead and jump back into the app here

and so I'm gonna go ahead and I'm gonna

go ahead and take a look at shared

content so up here on top of the screen

we actually have a couple different ways

to look at shared content on the

left-hand side of the screen I'm gonna

have four different options and let me

go through these now because might as

well is a good point the first is I can

see some recent things that have been

shared with me recent things I've done

very similar if you've used most

products through a recent now but

basically it's gonna be the the things

that you've done you know recently kind

of a quick way to get to access to those

that's a good way to see things that

you've done recently another's to look

at your favorites so you've created a

query baby previously and you saved it

and you want to mark it as a favorite

and you can go ahead and do it so in

sumo logic so similar to the way you

would in the browser it's like a

bookmark essentially you have a personal

folder so here you can go ahead and view

all those different queries that you've

saved out both queries dashboards really

anything within Summa logic that you've

saved out and so here I've gone ahead

and I've created some Apache queries

before and some Microsoft Office 365

these are things I've done previously

but I want to in this case I want to see

what other people have done because I

want to take advantage of that so I can

go ahead and click on this icon here

which is gonna represent the library and

now I'm able to see all the other things

that other users have done now in this

case there's a lot of Apache folders

because I'm on a training site and we've

had other students use this site so but

that's perfectly fine so let's say I

want to go ahead and look at one of

these and I want to see what this what

information is in here if I go ahead and

click on Apache

I'm gonna go ahead and see that there's

all these different queries the orange

represents queries and I'm gonna see the

green that represents dashboards and

there's all these different dashboards

and now I can go ahead and look at these

so let's say I see this Apache overview

well that sounds kind of interesting

what is it though let me go in and click

on it

and now what I get is an overview of in

this case visitor locations so in this

case I have a map that's been created

for me and I'm able to view the visitor

locations regionally and so that's kind

of cool one of the cool things about

these maps will look at the maps in a

little a little bit later but I can zoom

in these so let's say right now I'm able

to say you know there's been a lot of

traffic or visitor locations in the

Northeast let me go ahead and look more

specifically where those are and I can

actually drill into the map here and I

can see more specifically you know

pittsburgh area has this many in

washington as this randy and so that's

kind of cool

and so you know maybe this is something

that i want to take advantage of

somebody did this hard work to go ahead

and create this map and maybe i want to

go ahead and modify it and what i can do

is i can click on this icon here that's

just showing search and what i'm just

going to do is going to bring that query

into the search window and it's going to

allow me to customize it

now this query language up here is going

to be maybe a little bit foreign to you

so this is certainly level one so these

are the query language itself we would

cover in level two but this is a good

point where you can go ahead and see hey

this is what somebody else did this is

how they set it up and you can start to

use this on your own so maybe you want

to start to change some of this

information so rather than looking only

at it say you know country name of the

united states you want to look at i

don't know let's see if there's any data

for actually i don't think there is any

but so you could go ahead and start to

modify in here different information so

let's go ahead and show another way

through that see take advantage of some

methods to look at your data rather than

just a straight query and let me go

ahead and jump back to the slide to show

what i want to here we go in the slide

so the other option is to use our app

catalog and so what is the app catalog

and as it says up here if you want to

read it the apps are designed to

accelerate your time and zoom logic and

what they are is essentially

pre-configured searches and dashboards

for the most common use cases so the way

the apps are

work is and let me go ahead and jump

into the app catalog right there here we

go and so the way this is gonna work is

one of the cool things or as cool as

logs can be is that they're consistent

in the way they're designed so a Apache

access log is always going to be in the

same format regardless if it's if you're

using it or organization and another

organization using it they're always

going to be in the same format we'll

look at the format's in a little bit but

so example for example it's always has

the IP address

it always has a timestamp following etc

etc and since that we know that that's

going to take place we know that the

formatting is always going to be the

same we can take advantage of that and

as a result you can take advantage of

that so let's say I want to go ahead and

start to look at these predefined

example searches and dashboards so I'm

going to go ahead and click on Apache

and I see all the different types of in

this case the orange once again is the

queries and the green are the dashboards

and I see all these different types of

pieces of information that are available

to me and so I can go ahead and look at

some examples so let's say I want to go

ahead and look at the Apache overview I

can actually preview the dashboard up

here and I see this overview and once

again it's another map but I see you

know hey this is kind of interesting oh

this visitor access types yeah yeah will

be helpful to see visitor platforms and

so now I want to go ahead and take

advantage of these queries in order to

set it up it's gonna be really simple

and it could be really complicated

because I could go through the query and

and as you saw with that query language

I could go ahead and write that query

but that's pretty advanced so what I can

do to streamline the process as I click

Add to library and all I'm gonna need to

do is identify where my data is so I'm

going to tell it hey look in labs Apache

access because that's where my lab data

is and I'm gonna want it to reference

that environment the other thing I do is

just need to give it a name as you can

serve all that see there were a lot of

Apache so I'm gonna go ahead and just

give it a name that's hopefully unique

so I don't think there's a triple-a

Apache yet and I'm gonna click at the

library it's gonna take a moment to run

and once it's done it's going to allow

me to then go ahead and look at those

dashboards and

in the with the set of data that I just

referenced so here we see I'm now

looking at Triple A Apache I also have

it available to me if I look in my

library so are in my personal library so

there it is a couple different ways to

look at it and now I can go ahead and

look at one of these so maybe let's say

I want to look at this time I look at

visitor access types when I click on it

it's going to go ahead and take the

query and essentially just overlay my

sets of data in there so now it's

looking specifically at lab Apache

access and it's showing my visitor

platforms and so this is a way that I

can go ahead and start taking advantage

of similar logic without doing any of

the heavy lifting that it comes with the

query and so we certainly encourage you

to take advantage of those app catalog

items than just bid late as you saw I

was you know pretty easy to set up so

would recommend doing so let's go ahead

and jump back into the slide deck sorry

I keep doing that there we go and let's

go ahead and this portion so if you were

doing the tutorial at this point you

would go ahead and do some of these

steps as far as actually installing a

sumo logic app on your own logging and

certainly searching for existing content

and so as I mentioned at the beginning

of the call I would certainly encourage

you to go ahead and do this hand these

hands-on exercises on your own

I think it'll certainly be beneficial

but I'm gonna skip this portion just

kind of for the essence of time and we

you just saw let me go through all those

steps so we kind of did that demo

together so now let's go ahead and get

into the data analytics side of things

regarding queries so taking kind of a

step back in our scenario you now have

all this data loaded into sumo logic you

saw what data is relevant to you or in

this case we're going to be looking at

it once again that Apache information

and now you need to go ahead and start

to query on it and so how does the query

work how does it work more particularly

in sumo logic so within the sumo logic

environment you're going to be using

keywords and operators that are going to

be separated by pipes and built on top

of one another so you can go ahead and

envision this model here where you have

a very big funnel

and all your data is at the top of the

funnel and ultimately you want to have

the good stuff for the goodness

essentially come out as your results and

so the way it's going to work is you're

going to start to load things into this

funnel and using these different

sections of syntax we're going to start

to go ahead and essentially filter out

the things that are needed so you're

gonna start with let's go ahead and look

at a query right here so this is a

sample query and so we're gonna start

with the metadata and keywords and so

for example and I'll start to do this in

a real example and actually probably in

a moment here but basically what you're

doing is you're starting to identify

this is the set of data I want to look

at and I want to look at a specific

keyword once you have that sets that

send days data you're going to want to

go ahead and start to parse data out and

with parsing what you're going to do is

extract meaningful fields to provide

structure to your data so essentially

going to start to label some of those

fields of data next you're gonna go

ahead and filter some of the data out

and here's an example of parsing when

we'll look at these in just a minute

you're gonna go ahead and start to

filter results so you now have

information and fields that you've

created now you want to go ahead and

start to filter on those fields with the

aggregation you're going to go ahead and

start to place them into groups let's

see we have an example some of the

mathematical operators you can start to

do count so for example we just did that

count earlier of source categories we

can do averages and things like that and

we'll play with a couple of operators in

a moment and then ultimately you can go

ahead and start to format your results

so now you've you've created a whole

essentially a set of data and now you

want to manipulate it to something

that's a little more friendly so let's

go ahead and jump back into the

application and go through a more

specific example and show you what it

what those those things I just described

really look like so let's go ahead and

jump back in here and I'm gonna go to

the Home tab and I'm gonna go to new log

search you can also go to a new log

search over here but I'm gonna be either

way kind of same difference and so now I

have a window that's going to allow me

to start to do a query and so how do i

do my query and let's start with a very

one so up here we have a search window

and what I can do is I can just go ahead

and start to type my query so let's say

I want to go ahead and start to search

for Mozilla I can just very simply type

Mozilla and hit start and here we go and

now I have my results and so what I have

on here a couple of things that are

certainly worth noting on here is first

I have my search window here

this is gonna be search case-insensitive

so that's why even though I entered a

low case M we see capital M s down here

and we actually see since we're looking

for keyword in our results sets we

actually see the keyword highlighted so

that's going to be helpful well you also

have a time window our time selector up

here and so what's going to happen by

default is I'm going to be able to

search for the last 15 minutes of data

and so these would be the messages from

last 15 minutes but maybe I want to

change that and certainly you would many

times you will want to change the time

and so to do so you're gonna go ahead

and click on the time here and you're

gonna have some predefined time

categories so maybe I want to look at

the last 60 minutes or I want to look at

data from the last three hours etc etc I

can go ahead and choose those time

options

another time option I have is I can go

to custom and I can use this kind of

calendaring feature to say all right I

specifically want to look for logs from

July 2nd to July 10th and from 3 a.m. on

the 2nd to you know 5 a.m. and you can

get very specific with your time in the

custom so that's a second way to set up

or config your time and of course

there's gonna be a third way because we

want to give you many options and you

can kind of see the syntax for it up

here so when I chose last three hours

when I click on it I have this time

syntax of minus 3h and so what I can do

is I can use that to customize my time

and so I can more specifically say let's

say I want to look at the last 5 hours

of time I can just go ahead and do minus

5 H maybe I want to do the last 24

minutes of time I can just simply do

minus 24 M maybe I want to go ahead and

do the last 24 minutes to the last 12

minutes I can go ahead and specify and

you can

you see it right here in this case it

would look only from 922 to 935 so I

could really have a couple different

options of how I'm gonna choose my time

the other thing to be aware of in here

with time and I'm going to set it back

last 15 minutes is you have this option

of using receipt time and I just messed

over it and I think you should be able

to see what it says there but basically

it's going to allow you to search for

the message is when they were received

in the system not from the dates parsed

from by them and so the way that works I

don't want to get too bogged down in

that but I do want to you guys to

understand how that works

is looking at in these log messages here

is when the records war essentially

created or exceed me when the dates were

parched from them so we see here that

this data was from you know just a few

minutes ago and it pulls up in here what

we put the scenario that could occur

however is let's say you go ahead and

this morning you've loaded data from the

last six months in you could go ahead

and use your search for Lex six months

or you could go ahead and use your

receipt time and say I'm going to look

for that data and since it just got

loaded you could use look at it when it

got loaded rather than using the dates

that were in the message itself so just

a couple different options there and

typically you would use the use the

default here and not use receive time

but just want to make sure you're aware

of that feature let's see other things

on here there's a this is a busy screen

but in a good way because you're gonna

be spending a lot of time in it let me

go ahead and just so up here we have

some options as far as saving so we have

the favorite icon which I mentioned

earlier switch you guys are I'm sure all

familiar with how to use you have the

save as so let's say you have created

this query and I want to go ahead and

save it for future use I can click Save

As and I can go ahead and give it a name

and it will show up and be saved in my

personal section so that's really an

option as well

and then there's a couple other options

in here you have the ability to go ahead

and share this query out so you've

created this query you want to go ahead

and give it to somebody else certainly

you can go ahead and direct them through

the library if you've shared it out in

that method but the other option is you

can go ahead and just give them a code

that they can use or URL so they can go

ahead and take this URL paste it into

the browser and they're going to go

ahead and get the query that you created

an even cooler option is using this code

here so I can just go ahead and copy

this code click done and now if I open a

new browser or a new search window

rather I can paste that code in and it's

going to bring in the query exactly this

I had it and that's a really cool way to

go ahead and share the queries via let's

say if you are collaborating with

someone via slack for example rather

than taking your query and cutting in

and pasting it or even giving a URL you

can just say hey look at this code

number you know 1 2 3 or whatever the

code is and then they would easily be

brought into that query and they would

essentially be looking at the same thing

that you had created which is really

useful let's see a couple of other

options here you can go ahead and pin

this search wizard which is going to

allow the search to continue to run even

if you step away from the hour log out

of your system and then live tale and

we'll look at live tell in a moment so

I'll kind of leave that on the back

burner other pieces of information on

this screen there so there's a lot going

on so I want to make sure that we're

aware but I'm just going to redo my

search here just to clean this up for a

second in the middle here we have a

histogram which is showing distribution

of messages across the time frame that

we've selected so we selected a

15-minute window and as a result we're

seeing essentially time slices by 1

minute so we see the count of messages

so during for this query Mozilla for

less 15 minutes there was a total of

about 83 83 thousand results but we see

here from 943 that window so 943 to 944

there were 5,000 messages next window

almost 6000 etc so that's a good way to

see at a glance kind of graphing

information about the distribution of

those messages and then down here we

have our results which is certainly

going to be important we're going to

have our

stamp so this is going to go ahead and

indicate when that message is from and

then we're gonna have the message itself

and as I described a moment ago the key

words will be highlighted in there so

now we've gone ahead and we've done a

very basic query and we actually have

some more that we can go ahead and do so

let's go ahead and expand this query out

and actually make it a little more

useful so what I want to look at now is

rather than just looking at Mozilla

cross the entire index in the entire

body of data I'm more specifically want

to look at our Apache data so I'm gonna

go ahead and I'm gonna I'm actually just

going through a new line just to kind of

so you can see the search ahead so I'm

gonna go ahead and define my source

category and before I even type it's

gonna go ahead and start to do a search

ahead so here I have a source category

so I can just click on that and then I

can go ahead and specify my more

specifically the source category I want

to use and the search head will work

there so I'm gonna use Labs labs Apache

access and I'm gonna go ahead as well

and still search for Mozilla and I'm a

type Mozilla and I'm gonna hit start and

a couple things are happening here so

now we're specifically looking for lab

Apache access data that has the string

of Mozilla in it the other thing to keep

in mind up here is there's going to be

an implied end statement so this and

this are the same thing and so just to

keep in mind if you want to leave out

the end you can't so of course up to you

and you know how you decide to kind of

code your query but just want you to

recognize there is an implied end and

with the implied end so it's looking for

lab Apache access and those logs that

have the keyword or the string of

Mozilla and so that's a very you know a

very basic query but I want to go ahead

and start to make this more advanced and

so let's go ahead and do so so what I

want to do now in this scenario is we're

gonna take the set of data and I want to

look for what are called status codes

I'm some of you were probably familiar

with status code some of you may not a

status code is basically when you go to

a website on the back end essentially

it's going to be a

a indication of the results of that

experience because it could say so if

you go to a site successfully you get

status code 200 I'm sure many of you

have seen status code for fours where

you go to a page and the file or the

page cannot be found and so we're gonna

play with those those status codes right

now and so what I want to do with this

this right here is I want to go ahead

and start to parse my information out

and by parsing it out basically I have

my log message here and I want to

identify within the system where what to

look for in a status code or where to

find any of this information so for

example right here we have an IP address

we have some date information and over

here we have our status code in this

case this one is 304 and so like I said

I want to go ahead and start to look for

all these status codes the 304 or give

me any status code and so what I can do

is I can start to create a parsing

expression that's going to allow me to

do that and so I actually have two

different ways actually many more about

three different ways I can go ahead and

parse these fields out so let me show

you one way to go ahead and do it and

actually for this example I'm gonna

actually parse out the IP address so

that's that will just be I think a

better illustration so I'm gonna go

ahead and just steal some code that I

was playing with earlier and then bring

it in here and I'll explain what exactly

I'm doing with this code so let me just

go ahead and there I go cool so what I

want to do now is I want to go ahead and

I want to look at my IP addresses so I

will take a break for these status codes

for just a second but I want to go ahead

and look for IP addresses and so I see

in these messages I see an IP address

and I see an IP address there and I'm

only looking at this IP address the host

IP address we're gonna ignore that's

referring more to the collector or the

metadata for the host that I'm not

really interested in right now in this

case I just want to see the IP address

that's associated with each message and

so how do I go ahead and use those and

more Express specifically how do I go

ahead and start to be able to take

advantage of those fields and start to

report on them so the first way that you

can go ahead and do so is you can use

red jack

and I don't know if you guys are

familiar with regex I'm sure some of you

are and are dreading the hearing the

word regex regex when it's going too

loud to you to do and this is regex is a

global standard it's not a sumo logic

specific thing what it allows you to do

is essentially create some pattern

matching and so let me show you an

example of a regex statement and here we

have one right here so what we're doing

with this regex

is we're going ahead and identifying the

field and basically what we're telling

it to do is look for a digit that has

between 1 and 3 digits in it look for a

dot look for one two three digits look

for dot etc etc and so that would match

an IP address so an IP address is going

to be made up of essentially number dot

number dot number dot number and so

we're telling it to go ahead and look

for that pattern and I'm gonna go ahead

and hit enter and I'll show you

you know what's gonna occur and so when

I run this I now have my IP address

displayed here and I can start to use

these IP addresses and so I could go

ahead and for example let's say I wanted

to do a count of by IP addresses I can

go ahead and do so and so now what I did

is I first I'd use the the second line

here to go ahead essentially identify

our tell the system what an IP address

looks like or what to look for in the

pattern recognition and call that field

IP address which that's what this part

is doing is saying when you find this

pattern call that an IP address and then

once I have my IP addresses as displayed

down here then I can go ahead and start

to do some further queering on them so

that's one way to go ahead and start to

do your parsing particularly of parsing

via regex but as I mentioned regex

is very finicky it's very specific and

it's well it's a good standard it's not

the easiest way to do your query and we

want to make this easy for you guys so I

want to show you a couple alternatives

on how to go ahead and parse your data

out so what I'm going to do is I'm gonna

go ahead and I just clean up my screen

here I'm gonna go ahead and comment

these two lines out by doing two slashes

on each line what a comment does is

essentially turns off that line so

that line when I run my query again it

will skip those lines in the query and

as you can see here it's basically just

running this first line and so what I

want to do now is I want to show you a

secondary way to do parsing and what

this is using is what we call parse

anchor and the way it works is you're

going to just use the mouse and

essentially start to click on some

sections so let me show you specifically

how it works so I'm gonna go I need to

pull that IP address so what I'm gonna

do is I'm going to take this whole

message and I'm gonna highlight it and

I'm going to click parse the selected

text and now I have my whole message

here and what I'm going to do now is I'm

gonna go ahead and start to identify

those pieces of the message and create

fields from them and use the pattern

recognition to do so as well

so I'm gonna take this first portion of

the message and I'm gonna highlight it

go click to extract this value and I'm

gonna head go ahead and call this IP

address I could call it IP I could call

it Network identification I can call

whatever I want but I want to call it

something that makes sense to me and

others if they look at my code so I've

now labeled

this is an IP address and I'm gonna keep

going so I'm gonna go ahead and this

section here now I could go ahead and

specifically say that this is the year

this is the month this is the day this

is the hour etc etc but from for my demo

and usually I don't really care about

that so I'm just gonna take this whole

thing and I'm just gonna call it time I

just kind of lumped it together and I'm

gonna keep going through here and just

give me a second so I'm gonna take this

and I'm gonna call this the refer and

I'm gonna take this guy and I'm gonna

call this the status code and as I

mentioned we'll be using the status code

going forward so I'm gonna call it

status code I can call it with

underscore I can't use a space so this

would not be acceptable but I could use

that or that and then let me just finish

this up I mean it called this the size

so this is the size of the message we're

not really going to use it today but

just so you're aware and then I'm going

to take this part almost here done just

a couple more sections here I'm gonna

call that the URL and then finally I'm

going to take this whole portion here

and I'm going to call it

user-agent what it is is it's an

identification of the browser or the

environment that the visitor is using

when they go to a web site so it's going

to show information about operating

system browser type those type of things

and I'm just gonna lump it together as

call it a user agent and I'm gonna click

Submit and what's gonna happen now is

it's gonna take this pattern recognition

and matching and go ahead and look

through our logs messages for it and

match those patterns together and so

basically it's gonna look for the first

part of the message and it's gonna find

that part and it's gonna call that an IP

address it's gonna look for a space it's

gonna look for him - she's gonna look

for a space look for it - look for an

Open bracket and whatever's in that open

bracket it's gonna call time look for a

closed bracket etc so let's go ahead and

start and run this and we'll see what it

really is doing so here we now have

these sections broken out so now I have

my IP address I have my refer and my

size my stash you know all these

different fields that we just labeled

and so that's a good way that I can now

start to query on those and so what I

can do for example is now let's say

let's go to status codes because now I

can more easily access them now I can go

ahead and do a count by status code and

since the system knows hey this is a

status code essentially look for it

right here it's gonna go ahead and look

for those status codes and now I'm gonna

be doing a count so now in this case I'm

going ahead and doing some aggregation

doing some mathematics to go ahead and

say you know this is the amount of

status codes that have occurred over the

last 15 minutes so that's the second way

to parse your information out it looks

like we just got a question when parsing

with the mouse and highlighting is every

value create assumed to be a string or

can you assign datatypes a string so

these are strings it's just simply

looking at the message and doing the

very straightforward pattern recognition

so I want to show another way that we

can go ahead and I essentially pull out

these fields let me go ahead and clean

this up again and kind of reset myself

I'm gonna go ahead and remove the

parsing let me remove the count because

I don't

this so I'm just gonna turn off those

lines I might use them later so that's

why I'm gonna keep them and let me start

this and now we're just back to where we

were back to square one so let's say now

I want to go ahead and start to use

those sass codes you'll notice or now

you'll notice that I pointed out on the

left side sign the screen we have a

variety of different fields that we were

just actually using so we have IP

address we have status code and I can go

ahead and use these and so if I want to

go ahead and do a count by status code I

can go ahead and only do count by status

code and when I run it the system is

gonna know where status code is and how

to how to essentially utilize it now how

does the system know how what the status

code is how did they create these fields

what what the mechanism to do to create

these fields is what we call field

extraction rules or F ers and the way

the field extraction rules work is

essentially the parsing is done upon

ingestion so in this case we did the

query and in our query we did the

parsing but you can actually have it set

up so that when the data gets ingested

into sumo logic these fields are

automatically applied and the reason it

works so well is since an Apache access

message for example Apache access but

these would work with any types of

content or log messages since an Apache

log message is the same we can recognize

hey it's always going to be in this

pattern always look for that first space

or that first piece of content that's

going to be an IP address then look for

a space look for another space so it's

essentially doing the parsing upon

ingestion which is going to be a really

great way to go ahead and simplify this

process so that you don't have to go

ahead and do this parsing that we did up

here either via regex

or via this parsing mechanism so these

field extraction rules would be set up

previously I'm going to show you where

they are in the environment that I want

you to get too bogged down with it but I

do just want to give the visual so if I

go ahead into my settings and these are

things we would cover more in a session

to in session 3 but just while we're

here I think it's worth showing so

basically the way these rules work and

there's a lot of them because we do a

lot of testing with this account but

basically what it's doing is it's it's

looking at and actually let's so what

it's doing is it's saying hey I want

patchy access rule I want to go ahead

and say all this data so anything that

comes in with in this case anything

Apache access is going to have this

parse expression applied to it and this

is the pattern recognition that we're

just discussing so here we see source IP

it's going to look for essentially

number dot number dot number dot number

and that will be the way that hey call

that and a source IP then look for you

know something else call that a method

look for something else called ad URL

and so on and so forth and so those are

going to be really helpful that we would

encourage you to set up upon ingestion

to make both your life and your users

lives much easier but let's go back into

the query and continue further so um so

let's see where are we gonna let's go

back let's run this and so what we're

looking at right now is we're

essentially looking at our Apache access

information and we're still looking at

the string of mozilla and we're looking

at account by status code and when we

run it since we're doing a count which

is essentially mathematics at this point

we get a new tab called aggregates and

that's shown here so we have our

messages tab that is going to show the

raw messages as well as the fields that

were parsing and then we're gonna have

our aggregates tab that will show that

mathematics in this case we were doing

count by status code so we see our

status codes and we see a count and once

again the count is representing all the

different messages that occurred that

matched this pattern over the last 15

minutes but let's go deeper now so we

now have our status codes now let's

start to play around with them and then

start to garner some information from

them so as I just mentioned I'm looking

at these status codes by essentially a

15-minute grouping but let's say I want

to look at trends over time so I want to

look at the status codes in 1 minute

increments similar to the way that

they're shown up here but I want to

actually look at the specific status

codes so what I can do is I can go ahead

and just add a new line up here and I'm

gonna add a line it's called time slice

and as I type it the search ahead is

gonna work for me and it's also gonna

tell me what it does so it says time

slice segment data by time periods are

bucketed over time range yep that's what

I want so I'm in time slice and I'm

gonna do it by 1 minutes long chunk

and I'm gonna hit enter and now what I'm

gonna get oh I need to have one more

line here so now I need to tell it hey

do account by those time slices or by

those 1 minute segments and show the

status code so now when I run it I'm

gonna have these time slices so here we

have these so here at 9:59 so

essentially the minute of 959 959 59 we

see that there were 612 3 or 4 status

codes and at 10:03 there were 36 4 or 3

codes and so on and so forth and so you

know this is good the results are there

but they're not an in chronological

order which visually just you know makes

a little tricky to look at so let me go

ahead and put them in the order and so

what I want to do is I want to order

these time slices in ascending order so

in my query I'm gonna do order bye-bye

time slice slice ascend and just gonna

run that now and what that's gonna do is

it's gonna do what you know what it

sounds like I want to show it it's gonna

put those time slices in order so now I

see all the 952 so I see 952 s 953 954

's and so this is you know it's better

it's starting to get some information

you know a little little better visually

but it's not there it's not the way I

want it to be and so what I'd like to

see is a little list of the time slices

down the columns and status codes as my

rows so similar the way you would do our

transposition or transposing in Excel

and so that's what I want to do and

let's go ahead and do that so I'm gonna

go ahead and add a new line and I'm

gonna do transpose and as I type it

transpose aggregate aggregated results

that's what I want to do and I'm just

gonna go ahead and label my rows and

columns so I'm going to say my row put

the time slice there and my column put

the status code there and so now what I

get is something more visually pleasing

we're still gonna go further with it but

this is better so now I have my time so

I have my 953 and then I see the time

slices at the top so I can pretty easily

see I

9:55 there were 3200 which are the

successful connections and you know

there were only or not only but there

138 404s and you know this is I'm able

to get some more information from this

but it's not really easy to digest the

problem at this point so what I have I

can take advantage of this I can take

look at some of the other charting

options that are built into sumo logic

so up here we've been looking at the one

we wrote our aggregates we've been

looking at this view which is kind of a

table view but let's say I want to look

at I want to convert this into a graph

maybe I want to do a bar chart here's my

information on a bar chart maybe I want

to do a column chart okay that's you

know that's kind of cool not really what

I want though this line chart I like

though you know this is showing me the

status codes and you know graphing them

over time so you know okay I'm gonna

stick with this one but you know this is

a little tricky this view because I see

my two hundreds I see my three or fours

and then down here I mean I see those

other status codes but they're kind of

lumped together they're kind of hidden

and so what I want to do is I want to

clean this chart up a little bit and I

want to really look at this set of

information not these first two and so I

have two different ways I can do this

the first is I can actually do within

the graph so if I say all right I don't

want to see to hundreds just go over to

200 over here with the legend click 200

and it's been turned off same thing with

304 Larry oh four there it is turned off

and now I get my scale or has been

adjusted and now you know once again

kind of visually it's more pleasing and

makes make sense as to what's going on

so that's one way I could go ahead and

essentially alter that set the date the

other though is let's say I want to do

it within my query I want to go ahead

and leave out the two hundreds and the

three all fours I can go ahead and

actually just add a line in my query so

what I'm going to do is add a new line

right here and I'm gonna do a where

statement so I'm gonna do where look

where status code is equal to 200 or

status code is equal to equal to 3 or 4

and since I want to essentially remove

those I'm gonna go ahead and put an

exclamation point and so what I'm doing

here is I'm saying

pull the lab Apache access data with the

with the string of or the well the

string in this case of Mozilla and look

for status code 200 304 or rather not so

basically exclude the exclude these -

excuse me so now if I run this query I

don't have my two hundred or three or

four in here and if I look at my raw

messages I'm not going to go ahead and

see a two hundred or a three or four in

here but we'll say I do want to see

let's move let me go ahead and reset

this one more time because I do I do

want to show one more feature actually I

show a bunch more so let me go ahead and

let's remove this one for right now I

did want to show in the field browser

over here one thing that's really cool

and let we'll use the status codes as an

example so I have my query right here in

this case we're back to just looking

essentially just for labs Apache access

and Mozilla sets the data

we're formatting it down here but really

we're just looking for those here so

let's say and this is will work with my

field extraction rules let's say I want

to go ahead and look at the status code

and get a feel for how many status codes

are occurring and you know break down I

can go ahead and click on this SAS code

actually I need to get rid of these

because these are sorry that these are

affecting my results let me go ahead and

start from scratch they're actually I

can just go and delete all this since

we're not using it so I'm so I'm back to

my original query right now and so we

were looking at status codes what I can

do is I can go ahead and click on status

code here and it's gonna show me for

this 15-minute time window it's gonna

show me all the values up to I believe

only ten will show up in here so there

were more it would be limited but it's

gonna show me the values it's gonna be

show me the number or the count of those

status codes so this is how many status

codes exist during this 15-minute time

window and the other thing it's gonna

show me is the percentage so here I can

see just easily you know 73% of the

status codes were two hundred and

fifteen percent of or more three or four

the other thing I can do here because

there's a bunch of things I can do here

is I can actually take one of these and

put them into my query so let's say I

want to go ahead and continue my query

but I only want to look at two

droids I could go ahead and do we're

status code equals 200 I'm not gonna do

it just to save save myself typing for a

second or I can go ahead and just go

ahead and click on status code click on

200 and it's automatically gonna bring

that in to my query and so now I'm

looking at the status codes for 201 I

didn't have to type in my query that I

want to look for SAS goes 200 and the

other thing since I'm taking advantage

of the field abstraction rules is I

didn't even have to do parsing to

identify what a SAS code is and so I'm

able to take advantage of this smart

again a logic that's going on with the

system and take advantage of that so

that's kind of cool

let's go ahead and let's see I want to

show you in here the ability to export

results so you create a query in this

case we're looking at status code 200

and you know that's cool data and let's

say you want to go ahead and export it

you just click on this gear icon it's

going to allow you to export either all

the only the display fields or all the

fields but it's going to push it out

into a CSV file and then you can take

that CSV file and will do whatever you

need to do with it import it to another

system or or just analyze that data so

that's gonna be an easy way for you to

take the your data that's available to

you and just put it into a different

format that might be helpful let's go

ahead and look at some different

operators now so we've looked at a

couple but I want to show two in

particular so let me go ahead and jump

into our training folder training and I

want to go ahead and look at outliers

first so let's have an example here

there it is and so what I'm looking at

right now it's gonna take a second to

load off let me go ahead and specify

that so what I'm look out before I run

this up what I'm gonna show you and it

just so you can kind of see what's gonna

be popping up on the screen is I'm gonna

take our set of lab low patchy access

data we're gonna look at the status code

200 and what we're gonna do is we're

gonna say I use the outlier command

we actually saw this earlier with the

Gateway latency but essentially what

we're gonna do is we're gonna create

thresholds and then we're going to be

able to be notified when those two

hundreds in this case exceed that

threshold so let's go ahead and just run

this and see what kind of data we get

back so when I run it I get eight still

in my tabular view and so I get my data

back and so here and well I'll show you

this in a better view in a second but

just to show you kind of the raw content

not to get too bogged down on it but

basically it's doing some mathematics

and so it's looking at 917 there were

almost 4,200 status codes and so it's

starting to set an upper and a lower

threshold limit and so it's saying

basically using you know this all this

information it was expecting between

about four thousand and two thousand and

that fits in there so that's you know

that's good and so let's go ahead and

look at this in a different way so what

I'm gonna do is I'm gonna actually gonna

flip this into the line chart and now

this will be much more visually pleasing

so what I see here is I have my dark

blue line which is representing the

essentially the amount of messages that

match the query so for example at 9:30

we see that there were 30 100 status

codes of 200 and there was based on this

outlier information up here there was a

threshold that was established between

about 2400 and 3500 and so since that

number is within that threshold it's

within the threshold threshold being

represented by a light blue line but if

we look over here we see that based on

the mathematics the threshold was

expected to be between 2,500 and 3600

but there were only 20 just a little bit

but they're only 20 494 account for

those status codes and that falls

outside of our norm or outside of our

threshold that we're expecting and so we

were able to see those type of outlier

events let me show you it in a better

way because I the 200 I think is useful

this would show successful connections

but let's say you want to see all the

unsuccessful connections so what I'm

doing is I'm

flipping this around looking for status

code four or fours and now I see two

different examples here so keep in mind

those 404s are bad and so what I say

here is while they're bad they were in

within that acceptable range throughout

most of this sixty minute window but we

see two examples of outliers here the

first one we see right here the system

was expecting between about 118 and 169