Sumo Logic Confidential

Monitoring through Alerts

January 2016

How-To Webinar

Sumo Logic Confidential

Agenda

Monitoring Through Alerts

Alert TypesEmail

Script Action

ServiceNow

Webhooks

Save to Index

Creating Meaningful Alerts

Sumo Logic Confidential

Sumo Logic Data Flow

Data Collection Search & Analyze Visualize & Monitor

Alerts

Dashboards

Collectors

Sources

Operators

Charts

1 2 3

Sumo Logic Confidential

Alerting

Using a Scheduled Search, you can set Alerts to trigger whenever the search completes or when a certain condition is met.

Alert types include:• Email• Script Action• ServiceNow Connection• Webhook• Save to Index

Sumo Logic Confidential

Saving and Scheduling an Alert

1. Save your Search2. Schedule the Search

3. Specify frequency and time range

4. Specify Alert condition & threshold

5. Specify Alert Type and details

Sumo Logic Confidential

Alert Type: EmailEmail Alert can be sent, based on Search completion or on meeting a preset condition

• Email contains a representative sample of the first 20 rows of your results

• Clickable links provide all results within the Sumo Logic service

• Note: Max of 120 emails sent per day

Full results available within the Sumo Logic service

Sumo Logic Confidential

Alert Type: Script Action

Can be used to trigger a custom script hosted on a local server.

Steps to Build Script Action:1. Add a Script Action to the Installed Collector

2. Define and specify your Script

Sumo Logic Confidential

Alert Type: Script Action

Steps to Schedule Script Action:1. Create, save and schedule the query for the

data in question2. Select Script Action as your Alert Type and

provide your newly created Script Action

Key Points• Your script is hosted where your installed collector lives• Your script has access to the search results (JSON format)• Your script can call any other scripts• Good fit for connecting to on-premise systems behind firewall

Sumo Logic Confidential

Alert Type: ServiceNow Connection

Integration that creates ServiceNow incident tickets from alerts as well as from messages in search results

Steps to Set up:1. Build a ServiceNow Connection2. Schedule a Search

Sumo Logic Confidential

Alert Type: Webhooks

Target systems that support incoming webhook/HTTP alerts. Easy cloud-cloud integration.

Steps to Set up:1. Build a Webhook Connection

• Templates for common systems2. Schedule a Search

Sumo Logic Confidential

Alert Type: Save to Index

You can save the results of a search to an index, so your data can be searched at a later time with increased search performance.

For Example: _index=apache_404§ Original query has no aggregation§ Alert saves message detail of each 404 message§ New index (bucket) contains only 404 messages

Save to Index versus Scheduled ViewWhenever possible, use a Scheduled View, as it offers safeguards and management features. However, if you need to use operators that are restricted in SVs, you can use Save to Index instead.

Sumo Logic Confidential

Best Practices: Good Alerts, Bad Alerts

To be meaningful, Alerts should be:• Actionable – Alerts should have an associated playbook detailing steps to take • Directed – Alerts should be directed to an individual or group accountable for handling it• Dynamic – Instead of static thresholds, smart Alerts can track outliers, moving averages

and/or abnormal increases.

• Blog Post: 2 Key Principles for Creating Meaningful Alerts

Sumo Logic Confidential

Summary

Alert Types include:Email

Script Action

ServiceNow

Webhooks

Save to Index

Alerts should be Actionable and Directed

Meaningful Alerts use Dynamic Thresholds