Sumo Logic Confidential

Introduction to LogCompare: How to Reduce your MTTI/MTTR with One Click?

Matt Amel : Product Management, Advanced AnalyticsLatimer Luis : Customer Success Manager

Sumo Logic Confidential

Agenda

What is Log Analytics?Why Machine Learning Technologies?LogReduce and LogCompare?Use-Cases and BenefitsDemoQ/A

Sumo Logic Confidential

Sumo Logic: Turning Logs Into IT and Business Insights

Dec 12 17:23:19 database-host login[3866]: DEAD_PROCESS: 3866 ttys000

12/20/2011 17:23:04 PST

[user=234fsf] starting

transaction,

sessionid:2F0A232324,

[host=pay002.sjc]

amount=1725.00

12/20/11 17:23:14 AMQ7163: WebSphere

MQ job number 18429 started FOR

client_session=2F0A232324.

122012 17:23:17 /usr/local/build/mysql/libexec/mysqld:

Abnormal shutdown [18429]

Dec 12 17:23

:19 database

-host

login[3866]:

DEAD_PROCES

S: 3866 ttys

000

Dec 12

17:23

:24 VM

ware E

SX Ser

ver PC

PU

1 lock

ed up.

Faile

d to a

ck TLB

invali

date.

frame=

0x3a37

d98 ip

=0x625

e94

<134>May 05 2005 09:23:07: %PIX-6-

106100: access-list inside_access_out

denied tcp inside/68.162.72.163(4326) ->

outside/45.200.244.124(3127) hit-cnt

1(first hit)

66.249.67.24 - - [24/Jun/2012:17:23:10 -

0700] ”POST /APP/Order.php HTTP/1.1" 304 146

"-" SESSION=2F0A232324

Custom App Code

Server / OS

Virtualization

Databases

Network

Open Source Software

Middleware

Sumo Logic Confidential

Imagine 100 million events per second……Sumo Logic’s data grows 1PB every 2 weeks

Managed in a massively distributed environment

Typical customer ingest rate: 50GB/day (over 1 M events/sec)

Two main use-cases for sifting through millions of logsInvestigative: What was the cause of a failure?Preventive: Is something going to break (as a result of a deploy, …)?

Sumo Logic Confidential

Our ITOp and DevOp Engineers Were Asking….

• How was an app or a system behaving before the recent failure compared to a previous “normal” time?

• What are the changes in log patterns before and after the release?

• How can I compare the production stability and quality of current release with the previous one?

• How can I compare the Log patterns between two machines in the same cluster or between two different deployments?

Sumo Logic Confidential

There are different ways to answer such questions…..

Sumo Logic Confidential

Search and Live Tail…Specific keywords (transaction id, session id, etc.)Search: Track a specific problem across systems, apps, layersLive Tail: Track a specific stream of logs in real-time

Similar to Linux “tail –f”Across different systems, side by side.

Sumo Logic Confidential

LogReduce Sumo Logic’s Unique ML technologyExtracts meaningful patterns from logs

Log data is repetitious, need to find/analyze patterns

Condenses the logs without ignoring any dataFrom 100,000 logs to few pages of patterns

Reduces the noiseFind the needle in the haystack

Sumo Logic Confidential

Solution: Establish a Baseline, Find Anomalies

Tue 8:00 AM

query: “source-host=ZooKeeper-

5”

Mon 8:00 AM

Baseline: The day before

Search (millions of logs) → LogReduce (10’s of patterns)

Great, but can we do more?Yes, we can!

We can answer questions like:What was different before the failure?

(compared to a similar period)What is different since I deployed the

latest patch/release/fix

Tue 8:00 AM

Baseline:The week before

Investigating what was different before a major event.

Failure on ZooKeeper node

Sumo Logic Confidential

Benefits of LogCompare- Reduce your MTTI and MTTR

Faster Troubleshooting

Better Root Cause Analysis

Early Warning System

Sumo Logic Confidential

Demo of LogCompare

Sumo Logic Confidential

Quick Recap on LogReduce and LogCompare

Sumo Logic Confidential

LogReduce : 540,000 logs → ~15 patterns

Errors from one app…in …... 5 minute

Produced 540,000 logs

……….. Reduced toA handful of

patterns

Sumo Logic Confidential

LogCompare (order changes based on Anomaly Score)

From search box

Or by

a single click (patent pending)

Order by Anomaly-Score:

Most important

to

Least Important

Sumo Logic Confidential

LogCompare : Extending LogReduce (temporal/spatial comparison)

Before Release After ReleaseHealthy Server or App

Unhealthy Server or App

Log Pattern

Log Pattern

Sumo Logic ConfidentialQuestions

Sumo Logic Confidential

Thank youPlease feel free to contact:Customer Success: latimer@sumologic.comProduct Manager: mamel@sumologic.comAnalytics Beta Programs: analytics-beta-programs@sumologic.com