\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{TME520 (TME520)}
\pdfinfo{
  /Title (sumo-logic.pdf)
  /Creator (Cheatography)
  /Author (TME520 (TME520))
  /Subject (Sumo Logic Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{29A1E6}
\definecolor{LightBackground}{HTML}{F1F9FD}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Sumo Logic Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{TME520 (TME520)} via \textcolor{DarkBackground}{\uline{cheatography.com/20978/cs/12704/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}TME520 (TME520) \\
  \uline{cheatography.com/tme520} \\
        \uline{\seqsplit{tme520}.com}
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Published 4th September, 2017.\\
   Updated 26th April, 2020.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}




\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.


\begin{tabularx}{17.67cm}{x{4.8923 cm} x{5.9045 cm} x{6.0732 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Metadata}}  \tn
% Row 0
\SetRowColor{LightBackground}
\{\{nobreak\}\}{\bf{ \seqsplit{\_sourceHost} }} & The host name of the Source. For local Sources the name of the Source is set when you configure the Source. For remote Collectors, this field uses the remote host's name. The \_sourceHost metadata field is populated using a reverse DNS lookup. If the name cannot be resolved, \_sourceHost is displayed as localhost. & ` \seqsplit{\_sourceHost=*MySQL*} ` \tn 
% Row Count 23 (+ 23)
% Row 1
\SetRowColor{white}
\{\{nobreak\}\}{\bf{ \seqsplit{\_sourceName} }} & The name of the log file, determined by the path you entered when you configured the Source. & ` \_sourceName=/path/to/file/\{\{nl\}\}\_sourceName=*path* \{\{nl\}\} \_sourcename = \seqsplit{"/var/log/tomcat/logs/foobar}.log"` \tn 
% Row Count 31 (+ 8)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{4.8923 cm} x{5.9045 cm} x{6.0732 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Metadata (cont)}}  \tn
% Row 2
\SetRowColor{LightBackground}
\{\{nobreak\}\}{\bf{ \seqsplit{\_sourceCategory} }} & This field is created when you enter text into the Source Category field at Source configuration time. Log categories can be somewhat complex, as many log files may belong to more than one logical category. & ` \seqsplit{\_sourceCategory=OS*} ` \tn 
% Row Count 15 (+ 15)
% Row 3
\SetRowColor{white}
 &  & \{\{nobreak\}\}` \seqsplit{\_sourceCategory=*Application*} ` \tn 
% Row Count 19 (+ 4)
% Row 4
\SetRowColor{LightBackground}
 &  & ` \seqsplit{\_sourceCategory=*Audit} ` \tn 
% Row Count 21 (+ 2)
% Row 5
\SetRowColor{white}
{\bf{ \seqsplit{\_collector} }} & Returns results from the named Collector only. Entered when a Collector is installed and activated. & ` \seqsplit{\_collector=public\_cloud} ` \tn 
% Row Count 29 (+ 8)
% Row 6
\SetRowColor{LightBackground}
{\bf{ \_source }} & Returns results from the named Source only. Entered when a Source is configured. & ` \seqsplit{\_source=*syslog*} ` \tn 
% Row Count 35 (+ 6)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\SetRowColor{LightBackground}
\mymulticolumn{3}{x{17.67cm}}{While `\_sourcename = *api.log` works, `\_sourcename = "*api.log"` will fail. \newline List all categories: `* | count by \_sourceCategory | fields -\_count`}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Input format}}  \tn
% Row 0
\SetRowColor{LightBackground}
\{\{nobreak\}\}{\bf{keyvalue}} & For KVP type logs. The keyvalue operator allows you to get values from a log message by specifying the key paired with each value. & \{\{nobreak\}\}` | keyvalue "age"\{\{nl\}\}| keyvalue infer "hairColor", "lastVisit" \{\{nl\}\}| keyvalue regex "=(.*?){[},|\}{]}" keys \seqsplit{"serviceinfo.IP"}, \seqsplit{"loggingcontext}.region", \seqsplit{"request.method"} as ip, region, method \{\{nl\}\}| keyvalue auto` \tn 
% Row Count 15 (+ 15)
% Row 1
\SetRowColor{white}
{\bf{csv}} & The csv operator allows you to parse Comma Separated Values (CSV) formatted log entries. It uses a comma as the default delimiter. &  \tn 
% Row Count 24 (+ 9)
% Row 2
\SetRowColor{LightBackground}
 & Parse comma delimited fields & ` | csv\_raw extract 1 as user, 2 as id, 3 as name ` \tn 
% Row Count 28 (+ 4)
% Row 3
\SetRowColor{white}
 & Parse a stream query and extract search terms & `"Starting stream query" | parse "query={[}*{]}, queryId" as query | csv query extract searchTerms, op1, op2, op3` \tn 
% Row Count 36 (+ 8)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Input format (cont)}}  \tn
% Row 4
\SetRowColor{LightBackground}
 & Specify an escape, and quote character & `csv fieldName escape='\textbackslash{}', quote=''' extract A, B, \_, \_, E, F` \tn 
% Row Count 5 (+ 5)
% Row 5
\SetRowColor{white}
{\bf{JSON}} & The JSON operator allows you to extract values from JSON input. Because JSON supports both nested keys and arrays that contain ordered sequences of values, the Sumo Logic JSON operator allows you to extract single top-level fields, multiple fields, nested keys and keys in arrays. &  \tn 
% Row Count 24 (+ 19)
% Row 6
\SetRowColor{LightBackground}
 & Extracting a single top-level field & \seqsplit{`\_sourceCategory=stream} \seqsplit{RawOutputProcessor} "\textbackslash{}"message\textbackslash{}"" | parse \seqsplit{"explainJsonPlan}.stream{]}*" as jsonobject  | json \seqsplit{field=jsonobject} "sessionId" | fields -jsonobject` \tn 
% Row Count 35 (+ 11)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Input format (cont)}}  \tn
% Row 7
\SetRowColor{LightBackground}
 & Extracting multiple fields & \seqsplit{`\_sourceCategory=stream} \seqsplit{RawOutputProcessor} "\textbackslash{}"message\textbackslash{}"" | parse \seqsplit{"explainJsonPlan}.stream{]}*" as jsonobject | json \seqsplit{field=jsonobject} "sessionId", "customerId" | fields -jsonobject` \tn 
% Row Count 12 (+ 12)
% Row 8
\SetRowColor{white}
 & Extracting a nested key & `* | json \seqsplit{field=jsonobject} "meta.type"` \tn 
% Row Count 15 (+ 3)
% Row 9
\SetRowColor{LightBackground}
 & Finding values in a JSON array & `* | json \seqsplit{field=jsonobject} \seqsplit{"baselineIntervals"`} \tn 
% Row Count 19 (+ 4)
% Row 10
\SetRowColor{white}
 & Refer to one specific entry in an array & `* | json \seqsplit{field=jsonobject} "baselineIntervals{[}1{]}"` \tn 
% Row Count 23 (+ 4)
% Row 11
\SetRowColor{LightBackground}
 & Using the nodrop option & `* | json \seqsplit{field=jsonobject} "baselineIntervals{[}0{]}" nodrop` \tn 
% Row Count 27 (+ 4)
% Row 12
\SetRowColor{white}
 & Note: The JSON operator also supports the nodrop option, which allows messages containing invalid JSON values to be displayed. &  \tn 
% Row Count 36 (+ 9)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Input format (cont)}}  \tn
% Row 13
\SetRowColor{LightBackground}
 & Using wildcard (*) & \seqsplit{`\_sourceCategory=O365*} | json "Actor{[}*{]}.Type" as Actortype` \tn 
% Row Count 5 (+ 5)
% Row 14
\SetRowColor{white}
 & json auto works by searching for json blobs beginning at the end of the message. Usually logs begin with a preamble, such as a timestamp. In cases where content appears at the end of the message after the json blob, the extraction could fail. Having the json blob at the end of the message is recommended, as having it in the middle could cause extraction failure. & ` | json auto ` \tn 
% Row Count 30 (+ 25)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\SetRowColor{LightBackground}
\mymulticolumn{3}{x{17.67cm}}{{\bf{KVP}}: Key-Value Pairs. Logs formatted this way look something like this: \newline `{[}2019-12-24 23:59:59.380 +1100{]} age=42 name="Rick Deckard" hairColor="brown" lastVisit="2018-04-19 13:00"` \newline {\bf{infer}}: Default mode. Uses an internal list of regex to extract the value for a key. \newline {\bf{regex}}: In Regular Expression mode, you must explicitly match keys and values based on a regex. \newline {\bf{auto}}: Extract up to N fields. N is 100 by default.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Conditions}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{if}} & There are two forms of ternary expression you can use in Sumo Logic queries: one is constructed using the IF operator, and the other uses the question mark (?) operator. These expressions are used to evaluate a condition as either true or false, with values assigned for each outcome. It is a shorthand way to express an if-else condition. & ` | \seqsplit{if(status\_code} matches "5*", 1, 0) as server\_error ` \tn 
% Row Count 23 (+ 23)
% Row 1
\SetRowColor{white}
 &  & ` | status\_code matches "5*" ? 1 : 0 as server\_error ` \tn 
% Row Count 27 (+ 4)
% Row 2
\SetRowColor{LightBackground}
{\bf{in}} & The In operator returns a Boolean value: true if the specified property is in the specified object, or false if it is not. & ` | if (status\_code in ("500", "501", "502", "503", "504", "505", "506", "401", "402", "403", "404"), "Error", "OK") as \seqsplit{status\_code\_type} ` \tn 
% Row Count 37 (+ 10)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Conditions (cont)}}  \tn
% Row 3
\SetRowColor{LightBackground}
{\bf{where}} & The where operator must appear as a separate operator distinct from other operators, delimited by the pipe symbol ("|"). & ` //We recommend placing inclusive filters before exclusive filters in query strings ` \tn 
% Row Count 8 (+ 8)
% Row 4
\SetRowColor{white}
 &  & ` | where status\_code matches "4*" ` \tn 
% Row Count 11 (+ 3)
% Row 5
\SetRowColor{LightBackground}
 &  & ` | where !(status\_code matches "2*") ` \tn 
% Row Count 14 (+ 3)
% Row 6
\SetRowColor{white}
{\bf{isBlank}} & The isBlank operator checks to see that a string contains text. Specifically, it checks to see if a character sequence is whitespace, empty ("") ,or null. It takes a single parameter and returns a Boolean value: true if the variable is indeed blank, or false if the variable contains a value other than whitespace, empty, or null. & ` | where isBlank(user) ` \tn 
% Row Count 36 (+ 22)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.7114 cm} x{6.5793 cm} x{6.5793 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Conditions (cont)}}  \tn
% Row 7
\SetRowColor{LightBackground}
\{\{nobreak\}\}{\bf{isEmpty}} & The isEmpty operator checks to see that a string contains text. Specifically, it checks to see whether a character sequence is empty ("") or null. It takes a single parameter and return a Boolean value: true if the variable is indeed empty, or false if the variable contains a value other than empty or null. & ` | \seqsplit{if(isEmpty(src\_ip)},1,0) as \seqsplit{null\_ip\_counts} ` \tn 
% Row Count 21 (+ 21)
% Row 8
\SetRowColor{white}
{\bf{isNull}} & The isNull operator takes a single parameter and returns a Boolean value: True if the variable is indeed null, or false if the variable contains a value other than null. & ` \{\{nobreak\}\}| where \seqsplit{isNull(src\_ip)} ` \tn 
% Row Count 33 (+ 12)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{4.3862 cm} x{6.2419 cm} x{6.2419 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Data extraction}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{parse(regex)}} & Best for variable patterns. Also called the extract operator; enables users to extract more complex data from log lines using regular expressions. Can be used to extract nested fields. & ` | parse "Content=*:" as content ` \tn 
% Row Count 14 (+ 14)
% Row 1
\SetRowColor{white}
 & Parsing an IP address & `| parse regex "(?\textless{}ip\_address\textgreater{}\textbackslash{}d\{1,3\}\textbackslash{}.\textbackslash{}d\{1,3\}\textbackslash{}.\textbackslash{}d\{1,3\}\textbackslash{}.\textbackslash{}d\{1,3\}) "` \tn 
% Row Count 19 (+ 5)
% Row 2
\SetRowColor{LightBackground}
 & Indicating an OR condition to use non-capturing groups & `| parse regex "list 101 \seqsplit{(accepted|denied)} (?\textless{}protocol\textgreater{}.*?) "` \tn 
% Row Count 24 (+ 5)
% Row 3
\SetRowColor{white}
\{\{nobreak\}\}{\bf{parse(anchor)}} & Best for predictable patterns. Also called parse anchor, parses strings according to specified start and stop anchors and labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping... & ` | parse "User=*:" as user ` \tn 
% Row Count 41 (+ 17)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{4.3862 cm} x{6.2419 cm} x{6.2419 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Data extraction (cont)}}  \tn
% Row 4
\SetRowColor{LightBackground}
{\bf{split}} & The split operator allows you to split strings into multiple strings, and parse delimited log entries, such as \seqsplit{space-delimited} formats. & ` \seqsplit{\_sourceCategory=colon} | parse "{]} {\emph{ }}" as log\_level, text | split text delim=':' extract 1 as user, 2 as account\_id, 3 as session\_id, 4 as result ` \tn 
% Row Count 11 (+ 11)
% Row 5
\SetRowColor{white}
{\bf{fields}} & The fields operator allows you to choose which fields are displayed in the results of a query. & \{\{nobreak\}\}` \seqsplit{\_sourceCategory=access\_logs}  | parse using public/apache  | fields method, status\_code ` \tn 
% Row Count 19 (+ 8)
% Row 6
\SetRowColor{LightBackground}
{\bf{limit}} & The limit operator reduces the number of raw messages or aggregate results returned. & ` | count by \seqsplit{\_sourceCategory} | sort by \_count | limit 5 ` \tn 
% Row Count 25 (+ 6)
% Row 7
\SetRowColor{white}
{\bf{matches}} & The matches operator can be used to match a string to a pattern. & ` | if (agent matches "*MSIE*","Internet Explorer","Other") as Browser \{\{nl\}\}| if (agent matches "*Firefox*","Firefox",Browser) as Browser ` \tn 
% Row Count 36 (+ 11)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{4.3862 cm} x{6.2419 cm} x{6.2419 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Data extraction (cont)}}  \tn
% Row 8
\SetRowColor{LightBackground}
\{\{nobreak\}\}{\bf{timeslice}} & The timeslice operator segregates data by time period. & `| timeslice 1h | count by \_timeslice` \tn 
% Row Count 4 (+ 4)
% Row 9
\SetRowColor{white}
 &  & \seqsplit{`\_sourcename=*tomcat*} | timeslice by 5m | count by \_timeslice` \tn 
% Row Count 9 (+ 5)
% Row 10
\SetRowColor{LightBackground}
 & Output of last example: & `\#~Time~~~~~~~~\_count\{\{nl\}\}1~09/07/2017~11:25:00~AM~+1000~~9,234\{\{nl\}\}2~09/07/2017~11:30:00~AM~+1000~~14,496\{\{nl\}\}3~09/07/2017~11:35:00~AM~+1000~~15,988\{\{nl\}\}4~09/07/2017~11:40:00~AM~+1000~~3,383` \tn 
% Row Count 35 (+ 26)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{4.3862 cm} x{6.2419 cm} x{6.2419 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Data extraction (cont)}}  \tn
% Row 11
\SetRowColor{LightBackground}
{\bf{trace}} & A trace operator acts as a highly sophisticated filter to connect the dots across different log messages. You can use any identifying value with a trace operator (such as a user ID, IP address, session ID, etc.) to retrieve a comprehensive set of activity associated to that original ID. & ` | trace "ID=( {[}0-9a-fA-F{]} \{4\} )" "7F92" ` \tn 
% Row Count 21 (+ 21)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\SetRowColor{LightBackground}
\mymulticolumn{3}{x{17.67cm}}{{\bf{About limit}}: Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase. \newline {\bf{About timeslice}}: Timeslices greater than 1 day cannot be used in Dashboard Live mode. \newline {\bf{About trace}}: Not supported in Live Dashboards or any continuous query.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{5.7358 cm} x{5.5671 cm} x{5.5671 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Crunch numbers}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{count\{\{nl\}\}count\_distinct\{\{nl\}\}count\_frequent}} & Used in conjunction with the group operator and a field name. Only the word by is required. The count function is also an operator in its own right and therefore can be used with or without the word by. & \{\{nobreak\}\}` | count by url\{\{nl\}\}| \seqsplit{count\_distinct(referrer)} by status\_code\{\{nl\}\}\_sourcename=*tomcat* | \seqsplit{count\_distinct(\_sourceName)} group by \_sourceHost | sort by \seqsplit{\_count\_distinct} desc` \tn 
% Row Count 16 (+ 16)
% Row 1
\SetRowColor{white}
{\bf{sum}} & Sum adds the values of the numerical field being evaluated within the time range analyzed. & ` | \seqsplit{sum(bytes\_received)} group by \seqsplit{\_sourceHost`} \tn 
% Row Count 23 (+ 7)
% Row 2
\SetRowColor{LightBackground}
{\bf{avg}} & The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed. & ` | \seqsplit{avg(request\_received)} by \_timeslice ` \tn 
% Row Count 33 (+ 10)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{5.7358 cm} x{5.5671 cm} x{5.5671 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Crunch numbers (cont)}}  \tn
% Row 3
\SetRowColor{LightBackground}
{\bf{median}} & In order to calculate the median value for a particular field, you can utilize the Percentile (pct) operator with a percentile argument of 50. & ` | parse "value=*" as value | pct(value, 50) as median ` \tn 
% Row Count 11 (+ 11)
% Row 4
\SetRowColor{white}
{\bf{outlier}} & Given a series of time-stamped numerical values, using the outlier operator in a query can identify values in a sequence that seem unexpected, and would identify an alert or violation, for example, for a scheduled search. & ` \seqsplit{\_sourceCategory=IIS/Access} | parse regex "\textbackslash{}d+-\textbackslash{}d+-\textbackslash{}d+ \textbackslash{}d+:\textbackslash{}d+:\textbackslash{}d+ (?\textless{}server\_ip\textgreater{}\textbackslash{}S+) (?\textless{}method\textgreater{}\textbackslash{}S+) (?\textless{}cs\_uri\_stem\textgreater{}/\textbackslash{}S+?) \textbackslash{}S+ \textbackslash{}d+ (?\textless{}user\textgreater{}\textbackslash{}S+) (?\textless{}client\_ip\textgreater{}{[}\textbackslash{}.\textbackslash{}d{]}+) " | parse regex "\textbackslash{}d+ \textbackslash{}d+ \textbackslash{}d+ (?\textless{}response\_time\textgreater{}\textbackslash{}d+)\$" | timeslice 1m  | \seqsplit{max(response\_time)} as \seqsplit{response\_time} by \_timeslice | outlier \seqsplit{response\_time} window=5,threshold=3,consecutive=2,direction=+- ` \tn 
% Row Count 39 (+ 28)
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{5.7358 cm} x{5.5671 cm} x{5.5671 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Crunch numbers (cont)}}  \tn
% Row 5
\SetRowColor{LightBackground}
{\bf{sort}} & The sort operator orders aggregated search results. The default sort order is descending. & ` | count as page\_hits by \_sourceHost | sort by page\_hits asc ` \tn 
% Row Count 7 (+ 7)
% Row 6
\SetRowColor{white}
{\bf{top}} & Use the top operator with the sort operator, to reduce the number of sorted results returned. & ` | top 5 \seqsplit{\_sourcecategory} ` \tn 
% Row Count 15 (+ 8)
% Row 7
\SetRowColor{LightBackground}
{\bf{min}} & The minimum function returns the smaller of two values. & ` | min(1, 2) as v\{\{nl\}\}// v = 1 ` \tn 
% Row Count 20 (+ 5)
% Row 8
\SetRowColor{white}
{\bf{max}} & The maximum function returns the larger of two values. & ` | max(1, 2) as v\{\{nl\}\}// v = 2 ` \tn 
% Row Count 25 (+ 5)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\SetRowColor{LightBackground}
\mymulticolumn{3}{x{17.67cm}}{{\bf{About count\_frequent}}: You can use the count\_frequent operator in Dashboard queries, but the number of results returned is limited to the top 100 most frequent results. \newline {\bf{About top}}: Can be used in Dashboard Panels, but in the search they must be included after the first group-by phrase.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Geo lookup}}  \tn
% Row 0
\SetRowColor{LightBackground}
Sumo Logic can match an extracted IP address to it's geographical location on a map. To create the map, after parsing the IP addresses from log files, the lookup operator matches extracted IP addresses to the physical location where the addresses originated. & ` | parse "remote\_ip=*{]}" as remote\_ip | lookup latitude, longitude, country\_code, country\_name, region, city, postal\_code, area\_code, metro\_code fromgeo://default on ip = remote\_ip | count by latitude, longitude, country\_code, country\_name, region, city, postal\_code, area\_code, metro\_code | sort \_count ` \tn 
% Row Count 16 (+ 16)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{logcompare}}  \tn
% Row 0
\SetRowColor{LightBackground}
The logcompare operator allows you to compare two sets of logs: baseline (historical) and target (current). To run a LogCompare operation, you can use the LogCompare button on the Messages tab to generate a properly formatted query & `\{\{nobreak\}\} | logcompare timeshift -24h ` \tn 
% Row Count 12 (+ 12)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\SetRowColor{LightBackground}
\mymulticolumn{2}{x{17.67cm}}{{\bf{About logcompare}}: Not supported in Dashboards.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{10.5347 cm} x{6.7353 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{logreduce}}  \tn
% Row 0
\SetRowColor{LightBackground}
The LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. Use the LogReduce button and operator to quickly assess activity patterns for things like a range of devices or traffic on a website. & `\{\{nobreak\}\} | logreduce ` \tn 
% Row Count 11 (+ 11)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\SetRowColor{LightBackground}
\mymulticolumn{2}{x{17.67cm}}{{\bf{About logreduce}}: Not supported in Dashboards.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{save}}  \tn
% Row 0
\SetRowColor{LightBackground}
Using the Save operator allows you to save the results of a query into the Sumo Logic file system. Later, you can use the lookup operator to access the saved data. The Save operator saves data in a simple format to a location you choose. & `\{\{nobreak\}\} | save \seqsplit{/shared/lookups/daily\_users} ` \tn 
% Row Count 12 (+ 12)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\SetRowColor{LightBackground}
\mymulticolumn{2}{x{17.67cm}}{{\bf{About save}}: Not supported in Dashboards.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{x{3.8801 cm} x{6.5793 cm} x{6.4106 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{17.67cm}}{\bf\textcolor{white}{Visualization}}  \tn
% Row 0
\SetRowColor{LightBackground}
\{\{nobreak\}\}{\bf{transpose}} & Turn a list into a table in the Aggregates tab. & `transpose row {[}row fields{]} column {[}column fields{]}` \tn 
% Row Count 4 (+ 4)
% Row 1
\SetRowColor{white}
 &  & \seqsplit{`\_sourceCategory=Labs/Apache/Access} | timeslice 5m | count by \_timeslice, status\_code | transpose row \_timeslice column status\_code` \tn 
% Row Count 13 (+ 9)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}



\end{document}