Skip to main content

Detect Patterns with LogReduce

The LogReduceĀ® algorithm uses fuzzy logic and soft matching to group messages with similar structures and common repeated text strings intoĀ signatures, providing a quick investigative view, or snapshot, for the keywords or time range provided.

TheĀ SignaturesĀ tab displays LogReduce results asĀ signatures. A signature is basically a reflection of the logs grouped by LogReduceā€”not all logs grouped in a signature will exactly match it. Within a signature, fields that vary are displayed with wildcard placeholders (**********) while other fields, such as timestamp (and some URLs) are ignored and replaced with placeholder variables such as $DATE and $URL.

You can refine the results of the LogReduce algorithm to make the outcome more generic or more specific. SeeĀ Influencing the LogReduce OutcomeĀ for more information.

Will my LogReduce search results match my keyword search results?ā€‹

Generally speaking, no. LogReduce is intended to be a jumping-off point for your analysis. Unlike a keyword search, where you are looking for data related to, say, a specific source or an error message, LogReduce returns signatures that contain messages thatĀ mayĀ be of interest to you using fuzzy logic. If you are not happy with a signature, you canĀ teachĀ LogReduce how you'd like the results to be made more specific. do not think of a signature as an example of what logs are grouped under it; instead think of a signature as a reflection of what LogReduce thinks you will find interesting if that signature catches your eye. Once you begin digging in to LogReduce results, you will then want to structure a keyword query that delivers precise results.

Running a LogReduce queryā€‹

When you run a LogReduce query, you can first filter results with a simple string or metadata expression, or you can just type a wildcard (*). Specify a reasonable time period, service, or geographic region. Follow your keyword expression with the logreduce operator to group the resulting logs into meaningful groups of messages calledĀ logreduce operator to group the resulting logs into meaningful groups of messages calledĀ signatures. When running a LogReduce query, you will often see signatures change as the algorithm sorts through the resulting data and works to determine the best signature assignments for messages.

info

The logreduce operator cannot be used withĀ group-by functionsĀ such as "count by fieldname."

To run a LogReduce query:

  1. In the search query field, enter a keyword string or a metadata tag (for example, _sourceCategory="Western Region") to initially filter messages to some category, or you can just type a wildcard (*).
  2. Click the LogReduce button. Results appear in theĀ Signatures column when the search completes and you can do the following:
    • Click theĀ MessagesĀ tab to see the individual messages for all signatures combined.
    • Rate the relevance of signatures by promoting or demoting them under the available Actions.
    • Change signatures by clicking the pencil icon.
    • Split signatures that should not be grouped by clicking on the split arrows.
    • To export the results, click theĀ ExportĀ icon. Then clickĀ DownloadĀ to save the file to your computer.
      Logreduce Icons
  3. Promote, Demote, Split, and Edit icons.Ā 
  4. Undo and Redo icons.Ā 
  5. Click to view messages for the selected signature.
  6. Click to download the LogReduce report.

LogReduce color codingā€‹

Promoting a signature causes it to be highlighted yellow, and the up-thumb icon to turn blue.Ā The yellow highlighting disappearsĀ when you perform an action on another signature. The up-thumb icon stays blue.

Demoting a signature causes it to be highlighted dark gray, and the down-thumb icon to turn blue. TheĀ  gray highlighting goes away when you perform an action on another signature. The down-thumb icon stays blue.

Editing or splitting a signature causes it to be highlighted in light gray.

Investigating the Others signatureā€‹

Messages thatĀ Sumo LogicĀ cannot readily group are separated into a distinct signature calledĀ Others. These signatures might contain simple, miscellaneous messages that are of low importance, or it might show some anomalous messages that are meaningful. To fully understand Others signatures, a human needs to investigate further.

To investigate the messages in the Others signature:

  1. Select the check box and clickĀ View Details.
  2. Sumo LogicĀ runs the LogReduce algorithm on the signature with the details operator, and then displays the resulting sub-signatures.

Once a LogReduce query has run with the details operator, you cannot use that query again, for example, in a separate Search tab.

Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright Ā© 2025 by Sumo Logic, Inc.