-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #174 from droonee/droonee-patch-1
Drooney patch 1 - Data volume log searches/tools
- Loading branch information
Showing
4 changed files
with
50 additions
and
0 deletions.
There are no files selected for viewing
15 changes: 15 additions & 0 deletions
15
Sumo-Logic-Tools/Data Volume/30d_time_compare_top_20_sourcecategories.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| { | ||
| "type": "SavedSearchWithScheduleSyncDefinition", | ||
| "name": "30d time compare of top 20 source categories", | ||
| "search": { | ||
| "queryText": "_index=sumologic_volume _sourceCategory = \"sourcecategory_and_tier_volume\"\n| parse regex \"(?<data>\\{[^\\{]+\\})\" multi\n| json field=data \"field\",\"dataTier\",\"sizeInBytes\",\"count\" as sourcecategory, dataTier, bytes, count\n| where dataTier matches \"*\"\n| bytes/1024/1024 as mbytes \n| sum(mbytes) as mbytes by sourceCategory\n| round(mbytes,2) as mbytes\n| ((queryEndTime() - queryStartTime())/(1000*60*60*24)) as duration_in_day\n| mbytes / duration_in_day as %\"MB/Day\"\n| round(%\"MB/Day\",2) as %\"MB/Day\"\n| top 20 sourceCategory by mbytes, %\"MB/Day\"\n| compare with timeshift 30d 1\n| mbytes / mbytes_30d as ratio\n| where ratio > 1", | ||
| "byReceiptTime": false, | ||
| "viewName": "", | ||
| "viewStartTime": "1970-01-01T00:00:00Z", | ||
| "queryParameters": [], | ||
| "parsingMode": "AutoParse", | ||
| "defaultTimeRange": "Last 3 Days" | ||
| }, | ||
| "searchSchedule": null, | ||
| "description": "" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Sumo Logic Data Volume Tools | ||
| Sumo Logic Community Content for Data Volume visibility and monitoring. The compilation of searches assists the user in understanding changes in data volume from source categories, over time and at a point in time. | ||
|
|
||
| ### To use the content: | ||
| - Download the log searches and import them into your environment. |
15 changes: 15 additions & 0 deletions
15
Sumo-Logic-Tools/Data Volume/method_to_find_sourcecategories_that_crossover_partitions.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| { | ||
| "type": "SavedSearchWithScheduleSyncDefinition", | ||
| "name": "Method to find source categories that cross over partitions", | ||
| "search": { | ||
| "queryText": "// Run and export results of this query twice for tiers that you want to compare\n// Export both search results into an excel spreadsheet to find source categories from both lists\n_index=sumologic_volume _sourceCategory = \"sourcecategory_and_tier_volume\"\n| parse regex \"(?<data>\\{[^\\{]+\\})\" multi\n| json field=data \"field\",\"dataTier\",\"sizeInBytes\",\"count\" as sourcecategory, dataTier, bytes, count\n| where dataTier matches \"*\" // Continuous, Frequent, Infrequent\n| bytes/1024/1024 as mbytes \n| sum(mbytes) as mbytes by sourceCategory\n| round(mbytes,2) as mbytes\n| ((queryEndTime() - queryStartTime())/(1000*60*60*24)) as duration_in_day\n| mbytes / duration_in_day as %\"MB/Day\"\n| fields - duration_in_day\n| where %\"MB/Day\" > 1\n| sort by %\"MB/Day\" desc", | ||
| "byReceiptTime": false, | ||
| "viewName": "", | ||
| "viewStartTime": "1970-01-01T00:00:00Z", | ||
| "queryParameters": [], | ||
| "parsingMode": "AutoParse", | ||
| "defaultTimeRange": "Last 7 Days" | ||
| }, | ||
| "searchSchedule": null, | ||
| "description": "" | ||
| } |
15 changes: 15 additions & 0 deletions
15
Sumo-Logic-Tools/Data Volume/top_twenty_sourcecategories_over_time.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| { | ||
| "type": "SavedSearchWithScheduleSyncDefinition", | ||
| "name": "Top 20 SourceCat Over Time", | ||
| "search": { | ||
| "queryText": "_index=sumologic_volume _sourceCategory = \"sourcecategory_and_tier_volume\"\n| parse regex \"(?<data>\\{[^\\{]+\\})\" multi\n| json field=data \"field\",\"dataTier\",\"sizeInBytes\",\"count\" as sourcecategory, dataTier, bytes, count\n//| where dataTier matches \"Continuous\"\n| where [subquery: _index=sumologic_volume _sourceCategory = \"sourcecategory_and_tier_volume\"\n | parse regex \"(?<data>\\{[^\\{]+\\})\" multi\n | json field=data \"field\",\"dataTier\",\"sizeInBytes\",\"count\" as sourcecategory, dataTier, bytes, count \n | where !(sourcecategory matches \"*_and_*_volume\")\n | bytes/1Gi as gbytes \n | sum(gbytes) as gbytes by sourceCategory\n | sort by gbytes\n | limit 20\n | compose sourcecategory\n ]\n| bytes/1Gi as gbytes \n| timeslice 1d\n| sum(gbytes) as ingest by _timeslice, sourcecategory\n| transpose row _timeslice column sourcecategory", | ||
| "byReceiptTime": false, | ||
| "viewName": "", | ||
| "viewStartTime": "1970-01-01T00:00:00Z", | ||
| "queryParameters": [], | ||
| "parsingMode": "AutoParse", | ||
| "defaultTimeRange": "Last 14 Days" | ||
| }, | ||
| "searchSchedule": null, | ||
| "description": "" | ||
| } |