Skip to main content

Sumo Logic

Reading time: 0 minute(s) (0 words)

Sumo Logic is an observability platform that provides visibility into AWS, Azure, and GCP cloud applications and infrastructure.

Sumo Logic parameters and supported features in Nobl9
General support:
Release channel: Stable, Beta
Connection method: Agent, Direct
Replay and SLI Analyzer: Historical data limit 30 days
Event logs: Supported
Query checker: Not supported
Query parameters retrieval: Supported
Timestamp cache persistence: Supported
Query parameters:
Query interval: 2 min
Query delay: 4 min
Jitter: 30 sec
Timeout: 30 sec
Agent details and minimum required versions for supported features:
Plugin name: n9sumologic
Query delay environment variable: SUMOLOGIC_QUERY_DELAY
Replay and SLI Analyzer: 0.102.0-beta
Query parameters retrieval: 0.73.2
Timestamp cache persistence: 0.65.0
Additional notes:
Supported authentication using <accessId>:<accessKey>

Creating SLOs with Sumo Logic​

You can create Sumo Logic SLOs using the Metrics or Logs types.

Nobl9 Web​

  1. Navigate to Service Level Objectives.
  2. Click .
  3. Select a Service.
    It will be the location for your SLO in Nobl9.
  4. Select your Sumo Logic data source.
  5. Modify Period for Historical Data Retrieval, when necessary.
    • This value defines how far back in the past your data will be retrieved when replaying your SLO based on Sumo Logic.
    • A longer period can extend the data loading time for your SLO.
    • Must be a positive whole number up to the maximum period value you've set when adding the Sumo Logic data source.
  6. Select the Metric type:
    • Threshold metric: a single time series is evaluated against a threshold.
    • Ratio metric: two-time series for comparison for good events and total events.
      For ratio metrics, select the Data count method: incremental or non-incremental.
  1. Choose the query type: Metrics or Logs.

In the Metric query type:

  • Quantization refers to aggregating metric data points for time series over an interval of time.
    Must be 15s or greater.
  • Rollup is an aggregation function for metric quantizing.
    Default value is none
  • Enter the query.
    Query examples:
    • Threshold query metric=CPU_usage
    • Ratio good query metric=Mem_Used
    • Ratio total query metric=Mem_Total
  1. Define the Time window for your SLO:
  2. Configure the Error budget calculation method and Objectives:
    • Occurrences method counts good attempts against the count of total attempts.
    • Time Slices method measures how many good minutes were achieved (when a system operates within defined boundaries) during a time window.
    • You can define up to 12 objectives for an SLO.

      • Similar threshold values for objectives
      To use similar threshold values for different objectives in your SLO, we recommend differentiating them by setting varying decimal points for each objective.
      For example, if you want to use threshold value 1 for two objectives, set it to 1.0000001 for the first objective and to 1.0000002 for the second one.
  3. Add the Display name, Name, and other settings for your SLO:
    • Name identifies your SLO in Nobl9. After you save the SLO, its name becomes read-only.
      Use only lowercase letters, numbers, and dashes.
    • Select No data anomaly alert to receive notifications when your SLO stops reporting data for a specified period:
      • Choose up to five supported Alert methods.
      • Specify the delay period before Nobl9 sends an alert about the missing data.
        From 5 minutes to 31 days. Default: 15 minutes
    • Add alert policies, labels, and links, if required.
      Limits per SLO: 20 alert policies or links, 30 labels.
  4. Click CREATE SLO.

    5. SLO configuration use case
    Check the SLO configuration use case for a real-life SLO example.
SLI values for good and total
When choosing the query for the ratio SLI (countMetrics), keep in mind that the values ​​resulting from that query for both good and total:
  • Must be positive.
  • While we recommend using integers, fractions are also acceptable.
    • If using fractions, we recommend them to be larger than 1e-4 = 0.0001.
  • Shouldn't be larger than 1e+20.

YAML​

Metrics query​

Sample Sumo Logic threshold metrics SLO
apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: api-server-slo
  displayName: API Server SLO
  project: default
  labels:
    area:
      - latency
      - slow-check
    env:
      - prod
      - dev
    region:
      - us
      - eu
    team:
      - green
      - sales
  annotations:
    area: latency
    env: prod
    region: us
    team: sales
spec:
  description: Example Sumo Logic SLO
  indicator:
    metricSource:
      name: sumo-logic
      project: default
      kind: Agent
  budgetingMethod: Occurrences
  objectives:
    - displayName: Good response (200)
      value: 200.0
      name: ok
      target: 0.95
      rawMetric:
        query:
          sumoLogic:
            type: metrics
            query: metric=CPU_Usage
            quantization: 15s
            rollup: Avg
      op: lte
      primary: true
  service: api-server
  timeWindows:
    - unit: Month
      count: 1
      isRolling: false
      calendar:
        startTime: "2022-12-01 00:00:00"
        timeZone: UTC
  alertPolicies:
    - fast-burn-5x-for-last-10m
  attachments:
    - url: https://docs.nobl9.com
      displayName: Nobl9 Documentation
  anomalyConfig:
    noData:
      alertMethods:
        - name: slack-notification
          project: default
      alertAfter: 1h

Your metrics query must contain the following:

FieldTypeDescriptionNotes
typeStringOne of: metrics | logsFor the metric query type, specify metrics
quantizationIntegerMetric data point aggregation for time series over an interval of time (e.g, s, h)Must be 15s or greater
rollupStringAn aggregation function used for quantizing metricsOne of: avg | sum | min | max | count | none
queryStringYour custom queryExample: metric=CPU_usage

Refer to the YAML guide > SLO for more information on other fields.

Logs query​

Sample Sumo Logic threshold logs SLO
apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: api-server-slo
  displayName: API Server SLO
  project: default
  labels:
    area:
      - latency
      - slow-check
    env:
      - prod
      - dev
    region:
      - us
      - eu
    team:
      - green
      - sales
  annotations:
    area: latency
    env: prod
    region: us
    team: sales
spec:
  description: Example Sumo Logic SLO
  indicator:
    metricSource:
      name: sumo-logic
      project: default
      kind: Agent
  budgetingMethod: Occurrences
  objectives:
    - displayName: Good response (200)
      value: 200
      name: ok
      target: 0.95
      rawMetric:
        query:
          sumoLogic:
            type: logs
            query: >-
              _sourceCategory=uploads/nginx

              | timeslice 1m as n9_time

              | parse "HTTP/1.1" * * " as (status_code, size, tail)

              | if (status_code matches "20" or status_code matches "30*",1,0)
              as resp_ok

              | sum(resp_ok) as n9_value by n9_time

              | sort by n9_time asc
      op: lte
      primary: true
  service: api-server
  timeWindows:
    - unit: Month
      count: 1
      isRolling: false
      calendar:
        startTime: '2022-12-01 00:00:00'
        timeZone: UTC
  alertPolicies:
    - fast-burn-5x-for-last-10m
  attachments:
    - url: https://docs.nobl9.com
      displayName: Nobl9 Documentation
  anomalyConfig:
    noData:
      alertMethods:
        - name: slack-notification
          project: default
      alertAfter: 1h

Your logs query must contain the following:

KeywordDescriptionAccepted input
timesliceGroups log messages into fixed time intervals. Used to aggregate data points into consistent time buckets for time-series analysis. The result timestamp marks the beginning of each interval.Time unit value: [number][unit] where unit is one of: s (seconds), m (minutes), h (hours), d (days).
Must be 15s or greater.
Examples: 1m, 30s, 2h
n9timeThe timestamp field used for time-based analysis. Represents when the data point was recorded or the interval it belongs to.Unix timestamp in seconds or milliseconds
n9valueThe numerical value of the metric being measuredFloating-point number representing the metric value
count(*)An aggregation function that performs calculations on grouped dataOne of:
avg - average value
sum - total value
min - minimum value
max - maximum value
count - number of items
none - no aggregation
asSearch operator that creates an alias for a field or expression. Used to name the output fields for further processing.Field alias name that follows Sumo Logic naming conventions.
Required fields: n9time and n9value

Refer to the YAML guide > SLO for more information on other fields.

Querying for logs​

Sumo Logic queries use pipe operators (|) to chain operations together. Each operator processes the results from the previous operation, progressively filtering and transforming the data to achieve the desired output.

All queries must start with either a keyword or string search.

Special characters are available for pattern matching:

  • * - Wildcard character that matches zero or more characters
  • ? - Matches exactly one character

Here's a detailed example of a Sumo Logic query that calculates successful HTTP responses:

_sourceCategory=uploads/nginx
| timeslice 1m as n9_time
| parse "HTTP/1.1\" * * *" as (status_code, size, tail)
| if (status_code matches "20*" or status_code matches "30*",1,0) as resp_ok
| sum(resp_ok) as n9_value by n9_time
| sort by n9_time asc

This query:

  1. Filters logs from the nginx uploads category.
  2. Groups data into 1-minute intervals.
  3. Extracts HTTP status code, size, and remaining content.
  4. Marks responses with 2xx or 3xx status codes as successful (1) and others as failed (0).
  5. Sums successful responses for each time interval.
  6. Sorts results chronologically.

The query produces time-series data in the following format:

"n9_time","n9_value"
"1645371960000","2.0"
"1645372020000","58.0"
"1645372080000","46.0"
"1645372140000","12.0"
"1645372200000","12.0"
"1645372260000","12.0"
"1645372320000","14.0"
"1645372380000","22.0"

For comparison, here's a query that counts total requests in the same time ranges:

  _sourceCategory=uploads/nginx
| timeslice 1m as n9_time
| parse "HTTP/1.1\" * * *" as (status_code, size, tail)
| count(*) as n9_value by n9_time
| sort by n9_time asc

API rate limits​

Sumo Logic enforces rate limits on Search Job API requests.

The Nobl9 agent makes several API calls following the documented Process Flow to collect data points. To manage these requests efficiently, the agent distributes them across the 2-minute interval.

To ensure timely SLI data collection, observe these API limits:

  • API requestsβ€”4 requests/second (240/minute) per user
  • Concurrent requestsβ€”10 per access key

Best practices to avoid rate limits​

  1. Use metrics over logs
  2. Optimize log queries
  3. Keep one agent connection for your Sumo Logic data sources
    • For agent-based connections, use only one agent for all Sumo Logic data sources
    • This restriction doesn't apply to direct connections
  4. Monitor usage
    • Keep the number of log-based objectives within your API limits
Check out these related guides and references:
Add Sumo Logic as a data sourceAdding data sources'as' operatorExternal docsMetric quantizationExternal docsRate limit throttlingExternal docsProcess FlowExternal docsCreating SLOs via TerraformTerraform
On this page