How do I write a query for log analytics?

Your guide for leveraging your logs

Log management is the processes and tools that your DevSecOps team use to collect, store and manage log data. As they constantly assess your applications and systems for performance, log analytics comes into play to improve the efficiency and effectiveness of an organization, identify and troubleshoot problems, and monitor the health and performance of system.

Looking for a proactive approach to find issues, bugs and threats? Interested in surfacing your business and user adoption insights? Log analytics is the answer—and one that actually contains a multitude of “questions,” also known as queries.

What is a query?

Think of a query like a question, but rather than asking a human to tell you something, you’re making a request for information from a data lake. How can you ask a question and be understood by the recipient? By speaking the same language.

It’s important to learn the language of queries—if you have programming experience, writing a query should be a fairly familiar concept and will use many components you already know. If you’re new to the world of programming, it’s helpful to learn a bit of SQL (Structured Query Language) and a few basic query concepts.

SQL commands are the building blocks used to create queries and communicate with a database to perform tasks and functions with data. Many of the basic concepts that are used in SQL are also used in other query languages. A few of the most common SQL commands are:

• SELECT – Allows you to retrieve data

• AND — Used to combine data

• ORDER BY — Sort results by whatever parameter(s) you choose

• UPDATE — Modify existing data

• WHERE — Filter data and retrieve its value based on the set condition

It may also be helpful to think of queries as searches — you’re using these components to create a search that looks for information and returns it to you.

How do I get insights from log analytics?

The best way to extract actionable insights from your log data is to use queries. Different types of queries are used (and combined with other commands) for specific functions. For example:

• A select query retrieves and displays specific information

• An action query manipulates data

You can and should attach parameters to create sophisticated and customized queries. Whether you are using SQL or a different language, it’s important to remember that the system will do exactly what you tell it to do. Be sure to check (and double-check) your query to make sure the syntax is correct.

What query language is used for log analytics?

The query language used depends on your log analytics solution. Most log management and analytics tools will use their own query language that works with their unique system. However, if you understand the basics of querying or have programming experience, you will most likely be able to learn the appropriate language quickly.

What query language does Sumo Logic use?

At Sumo Logic, you can perform log analytics with our Search Query Language. The extensive query options are intuitive and efficient, helping you quickly extract valuable insights from your log messages — no matter how many log sources you have. Just like any language, Sumo’s search query language has rules and syntax. Based on logical and familiar operators, you can create ad hoc queries quickly and efficiently.

• Sumo Logic query syntax example
  The syntax for a typical search query often looks similar to this:
  keyword expression | operator 1 | operator 2 | operator 3

It may be helpful to think of the syntax as a funnel or “pipeline.” Starting with your current Sumo Logic data, you enter keywords and operators separated by pipes (“|”). As you build your query, each operator acts on the results from the previous one. Results are returned incrementally with the most recent messages displayed first. Additional messages are added progressively to the Messages tab as the search walks backward in time through all of your log data.

To learn more about the rules and syntax, explore our search syntax overview.

When you use Sumo Logic’s query language and patented Log Reduce and Log Compare, you’ll find a powerful tool that gives you plenty of search options—querying across structured and unstructured data, from metrics and traces to logs, without sampling for full fidelity. When checking out the capability of other log analytics solutions, you’ll notice that Sumo Logic’s Search Query Language stands out.

How do I write a query in Sumo Logic?

As you’re writing queries, Sumo’s Getting Started with Search will help you learn how to build and run searches, review logs and much more. You’ll find guides like:

• About Search Basics

• Built-in Metadata

• Chart Search Results

• Comments in Search Queries

• Quick Search for Collectors and Sources

• Save a Search

• Search Autocomplete

• Search Surrounding Messages

• Share a Link to a Search

• Time Range Expressions

• View Search Results for JSON Logs

• View Traces Search Results

Our extensive resources include our Sumo Logic Query Library, a community space where users can post queries they find useful and view log query examples. You can use this resource to help get you started with searching your data. You’ll find other interesting tidbits in our community too, like how some of our users are experimenting with ChatGPT to write queries!

Ask the right questions and receive actionable answers fast with Sumo Logic

Ready to get started with Sumo Logic? We’re here to help you throughout the entire log management process from ensuring application reliability, securing and protecting against modern threats, all the way down to your everyday queries that surface valuable insights for your enterprise.

Learn the fundamentals with Sumo Logic certification and get started on your journey towards being a query master — we’re looking forward to meeting you!