All Collections
Integrations
Data Push Destinations Example Using the Generic HTTP Endpoint with Sumo Logic to Search and Analyze Issues
Data Push Destinations Example Using the Generic HTTP Endpoint with Sumo Logic to Search and Analyze Issues
J
Written by Josh Peters
Updated over a week ago

Sumo Logic is a popular tool to manage, visualize and correlate events. Although we do not have a dedicated Sumo Logic integration, this example will show how you can send issue data from your UXI dashboard to Sumo Logic using the Generic HTTP Endpoint Data Push Destination.

This integration uses the Sumo Logic HTTP Logs and Metrics Source

Adding UXI Issue data to Sumo Logic

In Sumo Logic, go to Manage Data -> Collection.

Next select Add Collector and choose the option for Hosted Collector.

Give the Hosted Collector a name and select Save.

Under the newly created Hosted Collector, select Add Source and choose the option for HTTP Logs and Metrics.

In the HTTP Logs & Metrics configuration screen, specify a name

Next, expand the Advanced Options.

For the UXI Generic HTTP Endpoint, each message may contain more than one issue.

To account for this, ensure Multiline Processing is selected, choose Add Boundary Regex and enter the following:

\{.*\}

Select Save

On the next screen you will be given a URL that can be used to send data to Sumo Logic. Copy down this URL.

Next, open the UXI dashboard and navigate to Setting -> Integrations.

Under Data Push Destinations, Select Add Destination.

Enter the following in the menu.

  • Data Type: Issues (Do not send test results)

  • Destination Type: Generic HTTP Endpoint

  • Name: Give the data push a unique friendly name

  • URL: enter the URL for the Sumo Logic HTTP Logs and Metrics Source

  • Username: You can type anything here. Do not leave blank

  • Password: You can type anything here. Do not leave blank

Select Submit.

Note that although the data push generic HTTP endpoint uses HTTP Basic Auth, Sumo Logic has authentication as part of the URL. Based on our testing, you can simply use the URL and enter anything in the username and password field.

After a few minutes, you should begin seeing issue data in Sumo Logic.

Using UXI Issue Data in Sumo Logic

The UXI Data Push for the Generic HTTP Endpoint will contain multiple events in the same message. Each issue is a separate object in a JSON list. In Sumo Logic, the only way to parse this into individual log messages is using regex with the multi operator.

For example if you were to run a log search you might find it difficult to find what you are looking for as you would need to look in every element of the list.

_source = "uxi_issues"

However, if you run a parse regex with the multi operator, you can pull the individual items from the list into individual logs and search for what you are looking for easier.

_source = "uxi_issues"
| parse regex "\"uid\":\"(?<uid>.*?)\".*\"code\":\"(?<code>.*?)\".*\"status\":\"(?<status>.*?)\".*\"timestamp\":\"(?<timestamp>.*?)\".*\"hierarchy_node_path\":\"(?<hierarchy_node_path>.*?)\".*\"hierarchy_node_name\":\"(?<hierarchy_node_name>.*?)\".*\"network_name\":\"(?<network_name>.*?)\".*\"service_name\":\"(?<service_name>.*?)\".*\"sensor_name\":\"(?<sensor_name>.*?)\".*\"mac_address\":\"(?<mac_address>.*?)\"" multi

The above search would help you identify application issues. If you want to identify network issues, you might run a different search where the service name is null

_source = "uxi_issues"
| parse regex "\"uid\":\"(?<uid>.*?)\".*\"code\":\"(?<code>.*?)\".*\"status\":\"(?<status>.*?)\".*\"timestamp\":\"(?<timestamp>.*?)\".*\"hierarchy_node_path\":\"(?<hierarchy_node_path>.*?)\".*\"hierarchy_node_name\":\"(?<hierarchy_node_name>.*?)\".*\"network_name\":\"(?<network_name>.*?)\".*\"service_name\":(?<service_name>null).*\"sensor_name\":\"(?<sensor_name>.*?)\".*\"mac_address\":\"(?<mac_address>.*?)\"" multi

You can also search a specific sensor and use other functions to examine the data. For example an issue will have the same issue uid and status of either confirmed or resolved, you might consider this to be a transaction. In which case you can search if there are any recent ongoing application issues detected by a specific sensor.

_source = "uxi_issues"
| parse regex "\"uid\":\"(?<uid>.*?)\".*\"code\":\"(?<code>.*?)\".*\"status\":\"(?<status>.*?)\".*\"timestamp\":\"(?<timestamp>.*?)\".*\"hierarchy_node_path\":\"(?<hierarchy_node_path>.*?)\".*\"hierarchy_node_name\":\"(?<hierarchy_node_name>.*?)\".*\"network_name\":\"(?<network_name>.*?)\".*\"service_name\":\"(?<service_name>.*?)\".*\"sensor_name\":\"(?<sensor_name>.*?)\".*\"mac_address\":\"(?<mac_address>.*?)\"" multi
| where sensor_name = "SC Exec Lounge"
| transactionize uid
| where _group_size = 1
| where status = "CONFIRMED"

You can also use aggregation functions and create custom dashboards. For example the following search creates the pie chart in the bottom left of this dashboard.

_source = "uxi_issues"
| parse regex "\"uid\":\"(?<uid>.*?)\".*\"code\":\"(?<code>.*?)\".*\"status\":\"(?<status>.*?)\".*\"timestamp\":\"(?<timestamp>.*?)\".*\"hierarchy_node_path\":\"(?<hierarchy_node_path>.*?)\".*\"hierarchy_node_name\":\"(?<hierarchy_node_name>.*?)\".*\"network_name\":\"(?<network_name>.*?)\".*\"service_name\":(?<service_name>null).*\"sensor_name\":\"(?<sensor_name>.*?)\".*\"mac_address\":\"(?<mac_address>.*?)\"" multi
| where status = "CONFIRMED"
| count by code
| sort by _count

Did this answer your question?