Become a

Sumo Generalist
Fundamentals Certification

Welcome!
Note you are
currently muted.
We will get started
shortly.

This session is being recorded

Course Agenda
15 min. Introduction ● What is Sumo Logic?
● What kind of data does Sumo Logic ingest?
● Sumo Logic architecture
● What is available out-of-the-box?

25 min. Data Collection ● Preparing the data to be seen

● Collectors
● Sources
● Collection strategy

20 min. Searching and ● How is the data organized in Sumo Logic?

Analyzing Data ● Where do I search for my data?
● Perform a search using a query

15 min. Alerts and Monitoring ● Alert Response

● Context Cards for Troubleshooting

15 min. Visualizing Data ● Charts, Panels, Dashboards

10 min. Summary ● Exam, Next steps, Survey

Course Objectives

● Describe the Sumo Logic data pipeline.

● Understand how collectors and sources work.
● Install an app.
● Search logs data using Basic Mode.
● View data with charts, panels, and dashboards.
Introduction
● What is Sumo Logic?
● What kind of data does Sumo Logic ingest?
● Sumo Logic architecture
● What is available out-of-the-box?

Sumo Logic Confidential

Sumo Logic: A cloud-native data analytics platform

Security

Microservices

Hybrid-cloud
Operations Environments

Multi-cloud
Environments
Business Intelligence
Sumo Logic: A cloud-native Use Cases
machine data analytics platform
The Observability solution
Application Infrastructure Security

Troubleshoot Monitor
issues with multi-dimensional with new alerting and
Ensures
analysis and automatic root cause dashboarding capabilities
Production
detection
apps are
functioning
reliably

Diagnose
issues quickly using alerts and
out-of-box dashboards
 The Security Solution

Cloud Security Monitoring + Analytics Audit & Compliance Cloud SIEM Cloud SOAR

Monitor, detect, search Determine compliance Automatic alert triage, Improve SOC
and investigate security and posture management automatic threat efficiency with progressive
incidents with threat detection, threat hunting automation, orchestration,
benchmarking & analytics and investigations insightful decision-making
What kind of data does Sumo Logic ingest?

Logs Metrics Traces

end-to-end visibility into user
to identify why it’s happening to identify what’s going on
transactions across services

8
Architecture highlights
Cloud-native Microservices Multi-tenant

• Built in AWS from the start • Autoscaling • Resources are shared

• Leverages powerful AWS • Teams at Sumo Logic • Headroom to scale on
services to their fullest push software daily short notice
potential
• Increased reliability due • Adapts to load
• Partnership with AWS to smaller failure dynamically
domains and availability
• We monitor availability zone distribution
and performance 24/7 and
make constant
improvements

Sumo Logic Confidential

Sumo Logic Data Pipeline

Ingestion Path

Receiver Kafka Forge Kafka Indexer

Search Path S3

Service Stream Katta

Sumo Logic Confidential

 How is the data organized in Sumo Logic?

Indexed Data

● Default continuous partition

● All ingested data that is not Default Continuous
assigned to: Partition
○ a partition or
○ views populated by
Manage Data > Logs > Partitions
Scheduled Searches
● Create partitions first
● Assign those partitions to the
Data Tiers data tiers later
Partitions
● Continuous Tier
● Frequent Tier
● Infrequent Tier Data Tier
Taking advantage of App Catalog

• Deliver
– out-of-the box
dashboards,
– saved searches, and
– field extraction rules
for popular data
sources

• When an app is installed,

pre-set searches and
dashboards are
customized with your
source configurations and
populated in a folder

Sumo Logic confidential

Has someone already analyzed this same data?
– Shared Content
For All Users

● Share log searches, metric searches, dashboards, and folders.

● Choose how widely shared your content is within your Org.

For Admin

Manage content to
specific users and
groups.
Select the Library Tab, under View as: Toggle to Content Administrator mode.
Demo: Let’s See Sumo Logic in Action!

Slack Message Alert Response Dashboard Log Search

14
Sumo Logic Data Flow

1 2 3
Data Collection Search & Analyze Visualize & Monitor

Collectors
Operators Alerts

Charts Dashboards
Sources
Data Collection
● Preparing the data to be seen
● Collectors
● Sources
● Collection strategy

Sumo Logic Confidential

Preparing the data to be seen
Ask three questions to decide your data collection strategy

03 Where does the data reside?

Environment, Infrastructure, Files,

People
What do you want to know? <prod> <uat> | <aws> <win>
<devops> <superuser>
Performance, Numbers, Errors,
Success rate
<errors> | <success%> 01 02
What are the resources available
to you?

Money, Time, Expertise

<credits> | <totaltime>
Sending Data ⇨ Metadata

Metadata tags are:

• Associated with each log message that is collected
• Attached to your log messages at collection-time
• Used to find targeted results in search queries

Tag Description
_collector Name of the collector (defaults to hostname)

_sourceHost Hostname of the server (defaults to hostname)

_sourceName Name and Path of the log file

_source Name of the source this data came through

Can be freely configured. Main metadata tag

_sourceCategory (e.g. labs/apache/access)

Sumo Logic Confidential

Metadata: Source Category Best Practices
Common components (and any combination of):

• Environment (Prod/UAT/DEV)
• Application Name
• Geographic Information (East vs West datacenter,
office location, etc.)
• AWS Region
• Business Unit

Highest level components should group the data how it is most often search together:

Prod/Web/Apache/Access Web/Apache/Access/Prod
Dev/DB/MySQL/Error DB/MySQL/Error/Dev

Sumo Logic confidential

Source Category Usage Examples
Getting the Source Category naming right is KEY to getting the most out of the platform.

If I want to search for: Suggested search

Everything that happened in my Prod Windows environment _sourceCategory=prod/windows/events

(events)
Production windows events and performance metrics _sourceCategory=prod/windows/*
(Performance)
Everything that happened across my entire Windows fleet _sourceCategory=*/windows/events
(e.g. checking hotfixes)
Production IIS Access Logs for server “web02” looked after by the _sourceCategory=prod/web/iis/access
“web” support team _sourceHost=web02
All Windows events & performance metrics across the entire _sourceCategory=*/windows/*
platform.
All access logs (apache, IIS, NGINX, etc.), from all of my web _sourceCategory=*/web/*/access
servers that are supported by the “web” team.
Collectors

Sumo Logic Confidential

Types of Collector
Installed Agents Hosted Collector

Installed Collector OT Distro Agent

● Is installed on a system within ● Is Hosted by Sumo Logic
● Next generation agent built on
your deployment locally or OpenTelemetry ● Is Agentless
remotely
○ Doesn’t require a software
● Sources collect data available ● Single framework for ALL
to install or activate on a
in your deployment observability data
system in your deployment
● Easy to troubleshoot based on ● Puts you in charge of your ● Hosts Sources to collect
Collector logs data seamlessly from AWS, Google,
and Microsoft products
● Supported by major cloud
service providers ● Can receive logs and metrics
uploaded via a URL
 Installed Agents
HTTPS HTTPS

When to use more than one Installed Collector, if you:

HTTPS

● Expect the Collector to ingest from at least 500

Containers
separate files.
Local Files & Host Metrics ● Hardware has memory or CPU limitations.
● Expect combined logging traffic for one Collector to
be higher than 15,000 events per second.
● Network clusters or regions are geographically
separated.
● Prefer to install many Collectors, for example, one
Application per machine to collect local files.
Component
Remote Files
When to use OpenTelemetry, if you:

SSH Windows API (RPC) ● Leverage the Supported Sources and Supported
Platforms
● Are looking for a single agent as opposed to
managing multiple agents
● Are having scale issues with FluentD on Kubernetes
Collection
● Are looking for ARM support
Sumo Logic confidential
 Hosted Collector HTTPS

Cloudwatch S3 Kinesis
HTTPS Logs Firehose
HTTPS endpoint

CDN
EventHub

● For a single Hosted Collector, you can Network Watcher Monitor

configure up to 1,000 sources.

● Consider setting up more than one Google Pub/Sub

Hosted Collector, if you'd like to tag

different data types with different
API
metadata. Webhooks

DevOps SaaS SSO/MFA

Toolchain

Sumo Logic confidential

Selecting a Collector type

Which collector should I use?

Sources

Sumo Logic Confidential

What is a Source?

Hosts Appliances Cloud infrastructure

A source is an object, that:

● is configured for a specific

collector
● scans a particular target
periodically and Metrics: Logs: Records Traces: end-to-end
Measurements of events visibility into user
● sends newly available data over time transactions
to the collector
Sources

Installed Agents Hosted Collector

Types of Sources

Sources
• File Sources,
• Windows Event Log Sources,
• Docker Sources
• Host Metrics Sources

• Amazon S3
• Cloud syslog source
• Google Apps Audit Source
• Google Cloud
• HTTP
• Microsoft Office 365
Log in to the training environment

url: service.sumologic.com

email:
training+analyst###@sumologic.com

password: *******

### - a number between 001-999, for

example
[email protected]

Note: Place your ### number into chat

so that everyone knows not to use the
one you selected
Hands-on Lab
Using Sumo Logic Training

Complete Lab 1: Data Collection

● Sign in to Sumo Logic
● Navigate to Manage Data > Collection page
● Identify metadata available
● Identify collectors
● Identify sources
Hands-on Lab
Using Sumo Logic Training

Complete Lab 2: App Installation

● Install an app and view its content
● Find and display a shared dashboard
Collection Strategy

Sumo Logic Confidential

Deployment Options overview
Local Data Collection Centralized Data Collection Hosted (Cloud) Data Collection

The collector: The collector: The cloud service:

1. Is installed on all target 1. Is installed on a set of 1. Generates most data in the
hosts dedicated machines cloud

2. Sends log data produced 2. Collects log data from 2. Collects data through
on those target hosts target hosts through Sumo Logic cloud
directly to Sumo Logic various remote integrations
Backend via HTTPS mechanisms
connection
3. Forwards data to Sumo
Logic Backend
Ingesting data for Observability
App System Architecture

Application
Application
Observability
App Components

Kubernetes
Platform Technology Observability

Amazon Web
Application Infrastructure Services
AWS
Ingesting data for Security

Collection on CIP

Collection on CSE
What is required for my business?

● Ability to slice and dice usage based on:

● Metadata: Collector, Source Category, Source, Source Name, Source
Host
○ Data Types: Logs, Traces, Metrics
○ Tiers: Continuous, Frequent, Infrequent
Which tier should I use?
Continuous Tier
System Logs
Regularly Application Logs
Security Alerts

Frequent Tier
How frequently do you
Often
access the data? Development Logs
Test Logs

Infrequent Tier
Intermittently Debug Logs
CDN Logs
Hands-on Lab
Using Sumo Logic Training Portal

Complete Lab 3: Exploring Data Tiers

● Navigate to Manage Data > Logs > Partitions page
● Identify partitions
● Identify Data Tiers
● Click +New > Log Search > Basic Mode
Searching and Analyzing Data
● How is the data organized in Sumo Logic?
● Where do I search for my data?
● Perform a search using a query

Sumo Logic Confidential

How is data organized?

Order Billing Delivery

App Logs
App Debug Logs App Debug Logs
App Logs Infra Logs Infra Logs

Continuous Tier Frequent Tier Infrequent Tier

Navigating to Basic Mode
1. Open a Log Search by clicking + New, then select Log Search.
2. Click the three-dot icon on the right of the Search page and select Basic Mode from the menu options.
3. The user interface changes to show the simple query builder.

3
 Logs Search Basic Mode
Data Tier Time Range
Recent Index Set the desired
Select Data
Searches Tier(s) the Select Partition(s) range of time you
the query should want the search
query should to run against
run against
run against

Filters Filter logs using

Type in any Keywords
metadata Field
the query
should run
against (support
all fields,
metadata and
custom)
Log Search
To investigate a potential ongoing outage on our Amazon Web Services (AWS) Application Load
Balancer (ALB).

Select
• Data Tier=Continuous
• Source Category= Labs/AWS/ALB
Navigating to Metrics Explorer
1. Open a Log Search by clicking + New, then select Metrics.
2. Click the three-dot icon on the right and select Basic Mode from the menu options.
3. The user interface changes to show the simple query builder.

3
Metrics Search
Select
● Metric=CPU_Total
● _collector=prod_webserver
● _sourcecategory=prod/hostmetrics
Where is the data in Sumo?
Option 1 Option 2
Explore your Collectors Search for source categories

Click Manage Data > Collection > Collection Click +New > Search > Basic Mode
Hands-on Lab
Using Sumo Logic Training Portal

Complete Lab 4: Data Searching

● Build a query in Basic mode.
● Parse and aggregate the results.
● Save the search results.
Parsing
• Extract meaningful fields to provide structure to your data
• Extract fields within a query manually and on an ad-hoc basis.

Parse Anchor:
| parse " *@* " as user,domain

Parse Regex:
| parse | parse regex "(?<src_ip>\d{1,3}
\.\d{1,3}\.\d{1,3}\.\d{1,3})”

Other Parse Operators:

csv, json, keyvalue, split, xml

Learn more: Parse Operators

LogReduce (R)
● To group messages together based on string and pattern similarity.
● To quickly assess activity patterns for things like a range of devices
or traffic on a website.

_sourceCategory=Labs/snort
| logreduce
Monitoring and Visualizing Data
● Alert Response
● Context Cards for Troubleshooting
● Charts, Panels, Dashboards

Sumo Logic Confidential

Alert Response overview

● Find relevant details

about triggered alerts

● Identify the root cause

using Context Cards

● Quickly resolve the

underlying issue

Unified Monitors alert on thresholds

(Critical, Warning, Missing Data)
 Alert Response - Context Cards

Log Identify changes in Log patterns/signatures that might help explain the
Fluctuation underlying issue

Find anomalies in metrics data reported by various related entities over

Anomaly
time

Dimensional Analyze app log data and surface dimensions that might explain the alert
Explanation
condition

Surface abnormalities in data reported by various entities when compared

Benchmarks with other Sumo cohort
Alert Response - Troubleshooting
Monitoring - Alerts
Scheduled Searches trigger Alerts when a condition is met.

Alert Types:
● Email
● Webhook
● Save to Index
● Script Action
Hands-on Lab
Using Sumo Logic Training Portal

Complete Lab 5: Data Monitoring

● Create an email alert
Dashboards, Charts, Panels

Visualization

Sumo Logic Confidential

Panels
● Panels are the building blocks
used to create a dashboard.
○ Time Series
○ Categorical
○ Single Value
○ Map
○ Text
○ Honeycomb
Charts

● Edit/Modify the Chart type to

analyze the data in another
format.
○ Area, Bar
○ Column, Line,Table
 Dashboards
• Select Time range to view data for ● Each Panel processes results from a single search.
the corresponding panel ● The variables work across both log and metric panels.

• Auto Refresh: Ability to configure

the refresh interval rate

• Ability to add panels inline through

Add a Panel button
Hands-on Lab
Using Sumo Logic Training Portal

Complete Lab 6: Data Visualization

● Create and modify a chart.
● Create, share, modify a dashboard.
● Create a panel and add it to a dashboard.
● Add a text panel.
Quick recap

1. Demo a use case to familiarize you with our capability

2. Learned what data is available and where to find it
3. Learned to search using basic mode and analyze data
4. Learned to do trending analysis and monitor critical events
Next, we continue to get “Fundamentals Certified”
 What’s next?
This is just the beginning of your Sumo journey!

1 2 3
Get certified! Take more classes! Join the
Take the Self-paced community!
Fundamentals Exam Fundamentals, Sumo Logic user
Administration, group on LinkedIn
Search Mastery
courses
Resources
Training, Docs, Community, Support

Sumo Logic Confidential

Hands-on Lab
Using Sumo Logic Training Portal

Complete Lab 7: Get Help

● Get Help with Sumo Logic
● Check out the Release Notes
● Search DocHub
● Visit the Learn Page in Sumo
● Post a question on the Sumo Community
● Try our Customer Slack channel
● Log a Support Ticket
Hands-on Lab Guides

1. Click Home > Certification > Get Certified

2. Select Recorded Live Training
3. Select Fundamentals Cert Jam
4. Click Register
Certification
In order to get credit for the exam,
go to your own Sumo account and login
(your company account, not the training
account)

Assessment:
1. Click > Certification > Get Certified
2. Click Get Certified
3. Click <course name>
4. Click
5. Under Read Me First, click Before you start
6. Click
7. Click
Assessment description

• 30 questions
• 60 minutes to take it
• Need a 75% to pass
• 3 Attempts
• Open Resource (slides, labs, and
documentation)
If you find your login is cycling back to the
exam screen, do the following:

● In the black left bar, click Help

● Click Community
● An email verification should be sent to your inbox
● Once you verify, you should able to take the exam
without any issues

Sumo Logic Confidential

In order to get credit for the assessment
Follow these steps:

1. After each section, click Next or Submit.

2. When you get to the last section, click Go
to results.
3. When you passed the class, you’ll get a
congratulations message. Then click
Submit results.
4. After your feedback, you can click Close
course.
For passing the exam, you will earn:

● A Certificate
● An invitation to our LinkedIn Group
● The respect of your peers
● Fame, Fortune and more... Jessica Robbens
Thank you

Sumo Logic Confidential