Snap type:

Read


Description:

This Snap is used to execute a Sumo Logic search job and return results to the output view.

  • Expected upstream SnapsThis Snap does not require a specific upstream Snap. An upstream Snap, however, can provide documents to be used used to evaluate the Sumo Logic search job configuration. Each input document would trigger a SumoLogic search job execution.
  • Expected downstream SnapsExpected downstream Snaps would use the Sumo Logic search results to either do routing and/or data persistence.
  • Expected inputEach input document would be expected to evaluate Sumo Logic search job configuration and execute the search job.
  • Expected output If the Show aggregate records settings checkbox is selected, then a single document is generated with the found messages and the aggregate records (message metrics) as child list elements. If the Show aggregate records checkbox is not selected, then found messages are written to the output as separate document entries.  If the field schema mapping checkbox is selected the result output fields will be converted from  the default string value according to the field type schema in Sumo Logic.


Prerequisites:

[None]


Support and limitations:
Account: 

This Snap uses account references created on the Accounts page of SnapLogic Manager to handle access to this endpoint. See SumoLogic Account for information on setting up this type of account.


Views:


InputThis Snap has at most one document input view.
OutputThis Snap has exactly one document output view.
ErrorThis Snap has at most one document error view and produces zero or more documents in the view. Error output view is only written when the Field schema mapping setting checkbox is selected.


Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Query


Required. The Sumo Logic search expression.  See Sumo Logic documentation for searching at https://service.sumologic.com/help/  

Example: Unsuccessful | summarize

Default value: [None]


From


Required. The beginning date time range for the search. Format: yyyy-MM-ddTHH:mm:ss

Example: 2014-09-28T00:00:00

Default value: [None]


To 


Required. The ending date time range for the search. Format: yyyy-MM-ddTHH:mm:ss

Example: 2014-10-28T00:00:00

Default value: [None]


Time Zone


Required. The time zone for the "From" and "To" date time settings above.

Default value: [UTC]


Field schema mapping


Selected checkbox means the Sumo Logic response field schema will be used to convert response data into matching data types instead of using default string type for each field.  Search result fields that cannot me mapped according it's field schema type will generate an error to the error view.

Example:
In a scenario when the response data from SumoLogic has an entry called '_blockid', which is of 'integer' data type:

  • If the Field schema mapping check box is enabled, the data type of '_blockid' is retained as 'integer'.
  • If the Field schema mapping check box is not enabled, the data type of '_blockid' is converted to 'string'.

Default value: Selected


Aggregate search results


Aggregate search result messages into a single document along with any aggregate metrics (if search query has aggregate function).

Default value:  Not selected


Examples


If you wish to archive the Sumo Logic search job results to a database from the prior month beginning the first day of each new month, your pipeline might look something like this:


 

The Execute Search Job settings, in this case, are looking for the word "Handling".  
A to_date parameter set to the first day of the month is used so that this pipeline can be scheduled each month and re-run as necessary. 

 

The Mapper data shows the Sumo Logic schema and the MySQL schema:

 

The MySQL Insert message can then be written to a file:

 

Related Information