Sumo Logic Confidential

Optimizing Scheduled Searches

Mario Sanchez, Lavanya ShastriNovember 2016

How-To Webinar Welcome. To give everyone a chance to successfully connect,

we’ll start at10:05 AM Pacific.

Note you are currently muted.

Sumo Logic Confidential

Agenda

Using Scheduled Searches to Monitoring your EnvironmentAlert Types

EmailScript ActionServiceNowWebhooksSave to Index

Creating Meaningful Alerts

Sumo Logic Confidential

Sumo Logic Data Flow

Data Collection Search & Analyze

Visualize & Monitor

Alerts

Dashboards

Collectors

Sources

Operators

Charts

1 2 3

Sumo Logic Confidential

Scheduled SearchesScheduled Searches are saved searches that run at specified time intervals.• Great tool for continuously monitoring your stack. 

Using a Scheduled Search, you can set Alerts to trigger whenever the search completes or when a certain condition is met.

Alerts can be sent through various channels:• Email• Script Action• ServiceNow Connection• Webhook• Save to Index

Sumo Logic Confidential

Saving and Scheduling an Alert

Save and Schedule the Search

1. Specify frequency, time range and timezone2. Specify Alert condition & threshold

3. Specify Alert Type and details

Sumo Logic Confidential

Scheduling Frequency and Time RangeChoose a preset frequency or use Cron for custom frequency options

Use www.cronmaker.com for easy scheduling

Choose a preset time range or enter a custom one

Select a timezone for the search to run on

Sumo Logic Confidential

Setting up a Condition/Threshold• To take advantage of the Alert condition/threshold, your search

will most likely end with a line like this:_sourceCategory=Apache/Access AND status_code=404| timeslice 1m| count by _timeslice| where _count > 25

With this example, your results will only include timeslices where the count of 404s is greater than 0 or no results is there is no violation to your where clause.

Sumo Logic Confidential

Alert Type: EmailEmail Alerts can be sent, based on Search completion or on meeting a preset condition

• Note: Max of 120 emails per alert/day

* Blog on New Features

Sumo Logic Confidential

Alert Type: Script ActionCan be used to trigger a custom script hosted on a local server.

– Good fit for connecting to on-premise systems behind firewall

Key Points• Script hosted on server with an Installed Collector• Script has access to the search results (JSON format)• Script can call any other scripts• Script can be written in any of the following:

Local Server

Collector Custom Script

Sumo Logic Confidential

Alert Type: Script Action

Steps to Schedule Script Action:1. Add a Script to your Installed Collector

2. Add Script Action to your Scheduled Search

Sumo Logic Confidential

Alert Type: ServiceNow ConnectionIntegration that creates ServiceNow incident tickets from alerts or search results

Steps to Set up:1. Build a ServiceNow Connection2. Schedule a Search

Sumo Logic Confidential

Alert Type: Webhooks Used to send Alerts to any 3rd party tool that accepts incoming Webhooks.

– Any tool with a REST API

Steps to Set up:1. Build a Webhook Connection2. Schedule a Search

Sumo Logic Confidential

Alert Type: Save to IndexSave search results to an index

– Data can be searched at later time with increased search performance.

Example: _index=ExceptionEvents Creates new index named ExceptionEvents Saves/appends all results into new index

Save to Index versus Scheduled ViewWhenever possible, use a Scheduled View, as it offers safeguards and management features. However, if you need to use operators that are restricted in SVs, you can use Save to Index instead.

Sumo Logic Confidential

Best Practices: Good Alerts, Not-so-Good AlertsBlog Post: 2 Key Principles for Creating Meaningful AlertsTo be meaningful, Alerts should be:• Actionable – Alerts should have an associated playbook detailing steps to take • Directed – Alerts should be directed to an individual or group accountable for

handling it• Dynamic – Instead of static thresholds, smart Alerts can track outliers, moving

averages and/or abnormal increases.

Sumo Logic Confidential

Summary

To create Alerts:Save and Schedule the AlertSpecify Frequency and Time RangeSpecify Condition and ThresholdSpecify Alert Type and its Details

Alerts should be Actionable and DirectedMeaningful Alerts use Dynamic Thresholds