Upload
sumo-logic
View
58
Download
1
Embed Size (px)
Citation preview
Sumo Logic Confidential
Optimizing Scheduled Searches
Mario Sanchez, Lavanya ShastriNovember 2016
How-To Webinar Welcome. To give everyone a chance to successfully connect,
we’ll start at10:05 AM Pacific.
Note you are currently muted.
Sumo Logic Confidential
Agenda
Using Scheduled Searches to Monitoring your EnvironmentAlert Types
EmailScript ActionServiceNowWebhooksSave to Index
Creating Meaningful Alerts
Sumo Logic Confidential
Sumo Logic Data Flow
Data Collection Search & Analyze
Visualize & Monitor
Alerts
Dashboards
Collectors
Sources
Operators
Charts
1 2 3
Sumo Logic Confidential
Scheduled SearchesScheduled Searches are saved searches that run at specified time intervals.• Great tool for continuously monitoring your stack.
Using a Scheduled Search, you can set Alerts to trigger whenever the search completes or when a certain condition is met.
Alerts can be sent through various channels:• Email• Script Action• ServiceNow Connection• Webhook• Save to Index
Sumo Logic Confidential
Saving and Scheduling an Alert
Save and Schedule the Search
1. Specify frequency, time range and timezone2. Specify Alert condition & threshold
3. Specify Alert Type and details
Sumo Logic Confidential
Scheduling Frequency and Time RangeChoose a preset frequency or use Cron for custom frequency options
Use www.cronmaker.com for easy scheduling
Choose a preset time range or enter a custom one
Select a timezone for the search to run on
Sumo Logic Confidential
Setting up a Condition/Threshold• To take advantage of the Alert condition/threshold, your search
will most likely end with a line like this:_sourceCategory=Apache/Access AND status_code=404| timeslice 1m| count by _timeslice| where _count > 25
With this example, your results will only include timeslices where the count of 404s is greater than 0 or no results is there is no violation to your where clause.
Sumo Logic Confidential
Alert Type: EmailEmail Alerts can be sent, based on Search completion or on meeting a preset condition
• Note: Max of 120 emails per alert/day
* Blog on New Features
Sumo Logic Confidential
Alert Type: Script ActionCan be used to trigger a custom script hosted on a local server.
– Good fit for connecting to on-premise systems behind firewall
Key Points• Script hosted on server with an Installed Collector• Script has access to the search results (JSON format)• Script can call any other scripts• Script can be written in any of the following:
Local Server
Collector Custom Script
Sumo Logic Confidential
Alert Type: Script Action
Steps to Schedule Script Action:1. Add a Script to your Installed Collector
2. Add Script Action to your Scheduled Search
Sumo Logic Confidential
Alert Type: ServiceNow ConnectionIntegration that creates ServiceNow incident tickets from alerts or search results
Steps to Set up:1. Build a ServiceNow Connection2. Schedule a Search
Sumo Logic Confidential
Alert Type: Webhooks Used to send Alerts to any 3rd party tool that accepts incoming Webhooks.
– Any tool with a REST API
Steps to Set up:1. Build a Webhook Connection2. Schedule a Search
Sumo Logic Confidential
Alert Type: Save to IndexSave search results to an index
– Data can be searched at later time with increased search performance.
Example: _index=ExceptionEvents Creates new index named ExceptionEvents Saves/appends all results into new index
Save to Index versus Scheduled ViewWhenever possible, use a Scheduled View, as it offers safeguards and management features. However, if you need to use operators that are restricted in SVs, you can use Save to Index instead.
Sumo Logic Confidential
Best Practices: Good Alerts, Not-so-Good AlertsBlog Post: 2 Key Principles for Creating Meaningful AlertsTo be meaningful, Alerts should be:• Actionable – Alerts should have an associated playbook detailing steps to take • Directed – Alerts should be directed to an individual or group accountable for
handling it• Dynamic – Instead of static thresholds, smart Alerts can track outliers, moving
averages and/or abnormal increases.
Sumo Logic Confidential
Summary
To create Alerts:Save and Schedule the AlertSpecify Frequency and Time RangeSpecify Condition and ThresholdSpecify Alert Type and its Details
Alerts should be Actionable and DirectedMeaningful Alerts use Dynamic Thresholds