How do I write a query for log analytics?

Your guide for leveraging your logs

Log management is the processes and tools your DevSecOps team uses to collect, store and manage log data. As they constantly assess your applications and systems for performance, log analytics comes into play to improve the efficiency and effectiveness of an organization, identify and troubleshoot problems, and monitor the health and performance of the system.

Looking for a proactive approach to find issues, bugs and threats? Would you be interested in surfacing your business and user adoption insights? Log analytics is the answer—and one that actually contains a multitude of “questions,” also known as queries.

What is a query?

Think of a query like a question, but rather than asking a human to tell you something, you’re requesting information from a data lake. How can you ask a question and be understood by the recipient? By speaking the same language.

It’s important to learn the language of queries—if you have programming experience, writing a query should be a fairly familiar concept and will use many components you already know. If you’re new to the programming world, learning a bit of SQL (Structured Query Language) and a few basic query concepts is helpful.

SQL commands are the building blocks used to create queries and communicate with a database to perform tasks and functions with data. Many of the basic concepts that are used in SQL are also used in other query languages. A few of the most common SQL commands are:

• SELECT – Allows you to retrieve data

• AND — Used to combine data

• ORDER BY — Sort results by whatever parameter(s) you choose

• UPDATE — Modify existing data

• WHERE — Filter data and retrieve its value based on the set condition

It may also be helpful to think of queries as searches — you’re using these components to create a search that looks for information and returns it to you.

How do I get insights from log analytics?

Using queries is the best way to extract actionable insights from your log data. Different queries are used (and combined with other commands) for specific functions. For example:

• A select query retrieves and displays specific information

• An action query manipulates data

You can and should attach parameters to create sophisticated and customized queries. Whether you are using SQL or a different language, it’s important to remember that the system will do exactly what you tell it to do. Be sure to check (and double-check) your query to ensure the syntax is correct.

What query language is used for log analytics?

The query language used depends on your log analytics solution. Most log management and analytics tools will use their query language that works with their unique system. However, if you understand the basics of querying or have programming experience, you will most likely be able to learn the appropriate language quickly.

What query language does Sumo Logic use?

You can perform log analytics with our Search Query Language at Sumo Logic. The extensive query options are intuitive and efficient, helping you quickly extract valuable insights from your log messages — no matter how many log sources you have. Like any language, Sumo’s search query language has rules and syntax. You can create ad hoc queries quickly and efficiently based on logical and familiar operators.

• Sumo Logic query syntax example
  The syntax for a typical search query often looks similar to this:
  keyword expression | operator 1 | operator 2 | operator 3

It may be helpful to think of the syntax as a funnel or “pipeline.” Starting with your current Sumo Logic data, you enter keywords and operators separated by pipes (“|”). As you build your query, each operator acts on the results from the previous one. Results are returned incrementally, with the most recent messages displayed first. Additional messages are added progressively to the Messages tab as the search walks backward through all your log data.

You can explore our search syntax overview if you want to learn more about the rules and syntax.

When you use Sumo Logic’s query language and patented Log Reduce and Log Compare, you’ll find a powerful tool that gives you plenty of search options—querying across structured and unstructured data, from metrics and traces to logs, without sampling for full fidelity. When checking out the capability of other log analytics solutions, you’ll notice that Sumo Logic’s Search Query Language stands out.

How do I write a query in Sumo Logic?

As you’re writing queries, Sumo’s Getting Started with Search will help you learn how to build and run searches, review logs and much more. You’ll find guides like:

• About Search Basics

• Built-in Metadata

• Chart Search Results

• Comments in Search Queries

• Quick Search for Collectors and Sources

• Save a Search

• Search Autocomplete

• Search Surrounding Messages

• Share a Link to a Search

• Time Range Expressions

• View Search Results for JSON Logs

• View Traces Search Results

Our extensive resources include our Sumo Logic Query Library, a community space where users can post useful queries and view log query examples. You can use this resource to help you search your data. You’ll find other interesting tidbits in our community, like how some users experiment with ChatGPT to write queries!

Learn how Sumo Logic helps you centrally collect and analyze data to quickly troubleshoot performance issues, investigate security threats and improve business operations in this short intro video:

Ask the right questions and receive actionable answers fast with Sumo Logic

Ready to get started with Sumo Logic? We’re here to help you throughout the entire log management process, from ensuring application reliability and securing and protecting against modern threats all the way down to your everyday queries that surface valuable insights for your enterprise.

Learn the fundamentals with Sumo Logic certification and get started on your journey toward being a query master — we’re looking forward to meeting you!