Skip to content

Commit 43777aa

Browse files
JV0812jpipkin1
JV0812
and
jpipkin1
authored
Event extraction rules (#6118)
* Event Extraction Rules * delete duplicate files * added API docs * minor fix * added beta tag * Update docs/api/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * Update docs/manage/event-extraction-rules.md Co-authored-by: John Pipkin (Sumo Logic) <[email protected]> * minor fix * added limitations --------- Co-authored-by: John Pipkin (Sumo Logic) <[email protected]>
1 parent 2bddce2 commit 43777aa

File tree

8 files changed

+145
-0
lines changed

8 files changed

+145
-0
lines changed

docs/api/event-extraction-rules.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
---
2+
id: event-extraction-rules
3+
title: Event Analytics Management APIs
4+
sidebar_label: Event Extraction Rules
5+
description: Use Event Analytics Management APIs to configure Event Extraction Rules.
6+
---
7+
8+
<head>
9+
<meta name="robots" content="noindex" />
10+
</head>
11+
12+
<p><a href={useBaseUrl('docs/beta')}><span className="beta">Beta</span></a></p>
13+
14+
import useBaseUrl from '@docusaurus/useBaseUrl';
15+
import ApiIntro from '../reuse/api-intro.md';
16+
import ApiRoles from '../reuse/api-roles.md';
17+
18+
<img src={useBaseUrl('img/icons/operations/rules.png')} alt="Thumbnail icon" width="50"/>
19+
20+
The Event Analytics Management API allows you to configure event extraction rules from HTTP endpoints. For more information, refer to [Event Extraction Rules](/docs/manage/event-extraction-rules).
21+
22+
## Documentation
23+
24+
<ApiIntro/>
25+
26+
| Deployment | Documentation URL |
27+
|:-- |:-- |
28+
| AU | https://api.au.sumologic.com/docs/#tag/eventAnalytics |
29+
| CA | https://api.ca.sumologic.com/docs/#tag/eventAnalytics |
30+
| DE | https://api.de.sumologic.com/docs/#tag/eventAnalytics |
31+
| EU | https://api.eu.sumologic.com/docs/#tag/eventAnalytics |
32+
| FED | https://api.fed.sumologic.com/docs/#tag/eventAnalytics |
33+
| JP | https://api.jp.sumologic.com/docs/#tag/eventAnalytics |
34+
| KR | https://api.kr.sumologic.com/docs/#tag/eventAnalytics |
35+
| US1 | https://api.sumologic.com/docs/#tag/eventAnalytics |
36+
| US2 | https://api.us2.sumologic.com/docs/#tag/eventAnalytics |
37+
38+
## Required role capabilities
39+
40+
<ApiRoles/>
41+
42+
* [Data Management](/docs/manage/users-roles/roles/role-capabilities/#data-management)
43+
* Manage Event Extraction Rules
44+
* View Event Extraction Rules

docs/manage/event-extraction-rules.md

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
---
2+
id: event-extraction-rules
3+
title: Event Extraction Rules
4+
description: Learn how to use Sumi Logic event extraction rules.
5+
---
6+
7+
<head>
8+
<meta name="robots" content="noindex" />
9+
</head>
10+
11+
<p><a href={useBaseUrl('docs/beta')}><span className="beta">Beta</span></a></p>
12+
13+
import useBaseUrl from '@docusaurus/useBaseUrl';
14+
15+
Event Extraction Rules enables you to automatically extract, correlate, and enrich events directly from log data, making them available for event querying and analysis. By reducing noise and highlighting meaningful events, this capability accelerates troubleshooting and root cause analysis with minimal manual effort. You can precisely control how events are classified by configuring event type and priority, ensuring that the most impactful events are surfaced and clearly represented within log searches for faster, more informed insights.
16+
17+
## Create an Event Extraction Rule
18+
19+
You can create an event extraction rule of your own from scratch by following the instructions below.
20+
21+
:::note
22+
You need the `Manage Event Extraction Rules` [role capability](/docs/manage/users-roles/roles/role-capabilities/) to create an event extraction rule.
23+
:::
24+
25+
1. [**New UI**](/docs/get-started/sumo-logic-ui). To access the Event Extraction Rules page, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Event Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Event Extraction Rules**. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Event Extraction Rules**.
26+
1. Click the **+ Add Event Extraction Rule** button on the top right of the table.<br/><img src={useBaseUrl('img/manage/event-extraction-rule/event-extraction-rule.png')} alt="event-extraction-rule" style={{border: '1px solid gray'}} width="800"/>
27+
1. Enter the following options in the **Create New Event Extraction Rule** page:<br/><img src={useBaseUrl('img/manage/event-extraction-rule/create-event-extraction-rule.png')} alt="create-event-extraction-rule" style={{border: '1px solid gray'}} width="500"/>
28+
1. **Log Query**. Enter the log search query for the event to filter the logs. Optimize queries by limiting log volume, parsing and extracting only required fields, and using the fields operator to return only the data needed for event correlation and visualization.
29+
1. **Preview**. Click the **Preview Log Messages** button to preview the log messages for the query entered,
30+
1. **Event Configuration**:
31+
1. **Event Name**. A unique name for the event.
32+
1. **Event Description (optional)**. An optional text field to provide additional context about the event—such as its purpose, expected behavior, or when it should occur. Helps to understand the significance of the event.
33+
1. **Event Source**. Specify where the event originates from. This helps you to categorize and track events across different data sources.
34+
1. **Event Priority**. You can select Low, Medium, or High depending on the importance of the event.
35+
1. **Event Type**. Defines the category of the event - Deployment, Feature Flag Change, Infrastructure Change, or Configuration Change. This helps you in filtering, grouping, and analyzing events based on their nature.
36+
1. **Timeline Preview**. This previews how event markers will display in the histogram timeline on the logs page when this rule is active. This marker also displays the event type, source, and priority details.
37+
1. **Advanced Settings (optional)**. Use this section if you want to compare values from parsed event fields with fields in incoming log messages. When the selected values match, the system displays a visual marker to highlight the match.
38+
1. **Event Record Field**. Choose the field from the event record that you want to compare against incoming log data.
39+
1. **Match Type**. **Exact Match** is selected by default. This option creates a marker when the value in the incoming log exactly matches the value specified in the event record field.
40+
1. **Log Message Field**. Select the field from the incoming log message that should be compared with the chosen event record field.
41+
1. **Rule Details**. Enter the rule name and rule description (optional) of your choice that makes it easy to identify the rule.
42+
43+
:::info
44+
When an Event Extraction Rule is created, events only from previous seven days are automatically backfilled into the event index.
45+
:::
46+
47+
## Search for user data events
48+
49+
Searching the user data events is the same as running a normal search against your ingested data. You specify the `_index` metadata field with `sumologic_userdata_events`.
50+
51+
For example, to search for system events:
52+
53+
1. In the Search page, enter the following: `_index=sumologic_userdata_events`.
54+
:::info
55+
Make sure to enter the query exactly as shown. Changing any part of the query renders it ineffective.
56+
:::
57+
1. Choose the time range for the events that you'd like to review.
58+
1. Click **Start** to run the search.
59+
60+
:::note
61+
Add the `_eventExtractionRuleID` field to view the event ID against each log message.
62+
:::
63+
64+
## Edit a rule
65+
66+
To edit the existing event extraction rule, follow the below steps:
67+
68+
1. [**New UI**](/docs/get-started/sumo-logic-ui). To access the Event Extraction Rules page, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Event Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Event Extraction Rules**. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Event Extraction Rules**.
69+
1. Navigate to the respective event rule which you wish to edit.
70+
1. On the left pane, click **Edit** button.<br/><img src={useBaseUrl('img/manage/event-extraction-rule/edit-event-extraction-rules.png')} alt="edit-event-extraction-rule" style={{border: '1px solid gray'}} width="400"/>
71+
1. In the event extraction rule editing pane, perform the required editing and click **Submit** to save the changes.
72+
73+
## Duplicate a rule
74+
75+
To duplicate the existing event extraction rule, follow the below steps:
76+
77+
1. [**New UI**](/docs/get-started/sumo-logic-ui). To access the Event Extraction Rules page, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Event Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Event Extraction Rules**. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Event Extraction Rules**.
78+
1. Navigate to the respective event rule which you wish to duplicate.
79+
1. On the left pane, click **Duplicate** button.<br/><img src={useBaseUrl('img/manage/event-extraction-rule/duplicate-event-extraction-rules.png')} alt="duplicate-event-extraction-rule" style={{border: '1px solid gray'}} width="400"/>
80+
1. In the event extraction rule editing pane, perform the required editing and click **Submit** to duplicate the changes.
81+
82+
## Delete a rule
83+
84+
To delete the existing event extraction rule, follow the below steps:
85+
86+
1. [**New UI**](/docs/get-started/sumo-logic-ui). To access the Event Extraction Rules page, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Event Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Event Extraction Rules**. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Event Extraction Rules**.
87+
1. Navigate to the respective event rule which you wish to edit.
88+
1. On the left pane, click **Delete** button.<br/><img src={useBaseUrl('img/manage/event-extraction-rule/delete-event-extraction-rules.png')} alt="delete-event-extraction-rule" style={{border: '1px solid gray'}} width="400"/>
89+
1. In the **Delete [rule name] item** pop-up, click on **Delete**.<br/><img src={useBaseUrl('img/manage/event-extraction-rule/delete-confirm-event-extraction-rule.png')} alt="delete-confirm-event-extraction-rule" style={{border: '1px solid gray'}} width="400"/>
90+
91+
## Limitations
92+
93+
- You can create a maximum of 50 event extraction rules.
94+
- For any query, a maximum of five event markers will be displayed in the histogram, regardless of the selected time range.
95+
96+
## Operational considerations
97+
98+
- To restrict user access to extracted events, you can deny access to the `sumologic_userdata_events` index for specific roles. Ensure that you have the **[Usage Management](/docs/manage/users-roles/roles/role-capabilities/#user-management)** capability enabled, as it is required to configure index-level access restrictions.
99+
- An Event Extraction Rule can generate a maximum of 1,000 events per hour. If this limit is exceeded, the rule may be automatically disabled. To re-enable the rule, review and refine the rule query to reduce the event volume.
100+
- Audit logs for all create, read, update, and delete (CRUD) actions performed on Event Extraction Rules are available in the `_index=sumologic_audit_events ` and `_sourcecategory=eventExtractionRule`.
101+
- System-generated events can be viewed by querying the `_index=sumologic_system_events` and `_sourcecategory=eventExtractionRule`, allowing you to identify errors and take appropriate corrective actions.

static/img/manage/event-extraction-rule/create-event-extraction-rule.png

156 KB
Loading

static/img/manage/event-extraction-rule/delete-confirm-event-extraction-rule.png

39.7 KB
Loading

static/img/manage/event-extraction-rule/delete-event-extraction-rules.png

92.8 KB
Loading

static/img/manage/event-extraction-rule/duplicate-event-extraction-rules.png

93 KB
Loading

static/img/manage/event-extraction-rule/edit-event-extraction-rules.png

93 KB
Loading

static/img/manage/event-extraction-rule/event-extraction-rule.png

163 KB
Loading

0 commit comments

Comments
 (0)