Search Operators

Search operators process data in meaningful ways and provide logic to queries. This page lists the available search operators in the Sumo Logic search query language.

In this section, we'll introduce the following concepts:

accum

The accum operator calculates the cumulative sum of a field. It can be used to find a count by a specific time interval and a total running count across all intervals.

as

The as operator, typically used in conjunction with other operators, can also be used standalone to rename fields or to create new constant fields.

ASN lookup

Use this to look up an Autonomous System Number (ASN) and organization name by IP address.

backshift

The backshift operator helps you compare values as they change over time.

base64Decode

The base64Decode operator takes a base64 string and converts it to an ASCII string.

base64Encode

The base64Encode operator takes an ASCII string and converts it to a base64 string.

bin

The bin operator assigns output results to user defined bins.

cat

You can use the cat operator to view the contents of a lookup table. Not supported in auto refresh dashboards or scheduled searches.

CIDR

Sumo Logic's three CIDR operators work with Classless Inter-Domain Routing, notation to narrow the analysis of IPv4 networks to specific subnets.

compare

The compare operator can be used with the Time Compare button in the Sumo UI, which generates correct syntax and adds it to your aggregate query.

concat

The concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field.

contains

The contains operator compares string values of two parsed fields and returns a boolean result based on whether the second field's value exists in the first.

decToHex

The decToHex operator converts a long value of 16 or fewer digits to a hexadecimal string using Two's Complement for negative values.

dedup

The dedup operator removes duplicate results. You have the option to remove consecutively and by specific fields.

diff

The diff operator calculates the rate of change in a field between consecutive rows.

fields

The fields operator allows you to specify which fields to display and their order in the results of a query.

fillmissing

The fillmissing operator allows you to specify groups that should be represented in data output.

filter

Use the filter operator to filter the output of a search based on the filtering criteria of a child query.

format

The format operator allows you to format and combine data from parsed fields.

formatDate

The formatDate operator formats dates in log files as a string in a different format, such as U.S. or European date formatting.

Geo Lookup (Map)

With the Geo Lookup (Map) operator, Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map.

geoip

With the geoip operator, Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map chart.

hash

The hash operator uses a cryptographic hash algorithm to obscure data into a random string value.

haversine

The haversine operator returns the distance between latitude and longitude values of two coordinates in kilometers.

hexToAscii

The hexToAscii operator converts a hexadecimal string to an ASCII string.

hexToDec

The hexToDec operator converts a hexadecimal string of 16 or fewer characters to a long data type using Two's Complement for negative values.

if, ?

The if and ? expressions are used to evaluate a condition as either true or false, with values assigned for each outcome.

in

The in operator returns a Boolean value: true if the specified property is in the specified object, or false if it is not.

ipv4ToNumber

The ipv4ToNumber operator converts an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format.

isNull, isEmpty, isBlank

The isNull operator checks a string and returns a boolean value, isEmpty if a string contains no characters, and isBlank if a string contains no characters, is only whitespace, and is null.

isNumeric

The isNumeric operator checks whether a string is a valid Java number.

isPrivateIP

The isPrivateIP operator checks if an IPv4 address is private and returns a boolean.

isPublicIP

The isPublicIP operator checks if an IPv4 address is public and returns a boolean.

isReservedIP

The isReservedIP operator checks if an IPv4 address is reserved as defined by RFC 5735 and returns a boolean.

isValidIP, isValidIPv4, isValidIPv6

The isValidIP operator checks if the value is a valid IP address. The isValidIPv4 and isValidIPv6 operators check if the value is a valid IPv4 or IPv6 address, respectively. 

join

The join operator combines records of two or more data streams.

jsonArrayContains

Use the jsonArrayContains operator to determine whether a JSON array contains a particular item.

jsonArraySize

Use the jsonArraySize operator to determine the size of a JSON array.

length

The length operator returns the number of characters in a string.

limit

The limit operator reduces the number of raw messages or aggregate results returned.

lookup

The lookup operator returns one or more fields from a lookup table hosted by Sumo Logic and add the fields to the log messages returned by your query.

lookup (Classic)

The lookup (Classic) operator maps data in your log messages to meaningful information saved in Sumo or on an HTTPS server.

lookupContains

Use the lookupContains operator to determine whether a key exists in a lookup table. It will return a boolean value.

luhn

Uses Luhn’s algorithm to check message logs for strings of numbers that may be credit card numbers and then validates them.

Manually cast data to string or number

Most data in Sumo Logic is stored as a string data type. Metadata fields are stored as string data and parsed fields are by default parsed as string type data.

matches

The matches operator can be used to match a string to a wildcard pattern or an RE2 compliant regex.

now

The now operator returns the current epoch time in milliseconds.

num

The num operator converts a field to a double value, which is twice as accurate as a float value.

outlier

The outlier operator identifies values in a sequence that seem unexpected and would trigger an alert/violation.

predict

The predict operator ses a series of time-stamped numerical values to predict future values.

queryEndTime()

The queryEndTime() operator returns the end time of the search time range in milliseconds.

queryStartTime()

The queryStartTime() operator returns the start time of the search time range in milliseconds.

queryTimeRange()

The queryTimeRange() operator returns the time duration for the query being executed in milliseconds.

replace

The replace operator allows you to replace all instances of a specified string with another string.

rollingstd

The rollingstd operator finds the rolling standard deviation of a field, allowing you to identify changes over time.

save

The save operator allows you to save the results of a query to a lookup table you've already created.

save (Classic)

The save (classic) operator works with the classic Lookup Tables feature.

sessionize

The sessionize operator uses an extracted value from one log message to find correlating values in log messages from other systems.

smooth

The smooth operator calculates the rolling (or moving) average of a field, measuring the average of a value to "smooth" random variation.

sort

The sort operator orders aggregated search results.

substring()

The substring operator allows you to specify an offset that will output only part of a string, referred to as a substring.

threatip

Correlates threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.

timeslice()

The timeslice operator aggregates data by time period, so you can create bucketed results based on a fixed interval.

Timeslice Join Results

When you gather data using a join operator, you can slice data by time period using the timeslice operator.

toLowerCase, toUpperCase

The toLowerCase operator takes a string and converts it to all lower case letters.

top

Use the top operator with the sort operator to reduce the number of sorted results returned.

topk

The topk operator allows you to select the top values from fields and group them by fields.

total

The total operator inserts the sum of a set of fields into every row of the set.

tourl

The tourl operator provides you the ability to assign a short name that describes the URL.

trace

The trace operator acts as a highly sophisticated filter to connect the dots across different log messages.

transpose

Similar to a Pivot Table in Excel, the transpose operator allows you to take a list and turn it into a table in the Aggregates tab.

trim()

The trim operator eliminates leading and trailing spaces from a string field.

urldecode

The urldecode operator decodes a URL you include in a query, returning the decoded (unescaped) URL string.

urlencode

The urlencode operator encodes the URL into an ASCII character set.

where()

The where operator allows you to filter results based on a boolean expression.