Sumologic Provider
Sumologic Configuration
You can store your connection details in msticpyconfig.yaml.
For more information on using and configuring msticpyconfig.yaml see msticpy Package Configuration and MSTICPy Settings Editor
The settings in the file should look like the following:
DataProviders:
Sumologic:
Args:
connection_str: Sumologic_url_endpoint
accessid: accessid # with search permissions to connect
accesskey: accesskey
We strongly recommend storing the client secret value in Azure Key Vault. You can replace the text value with a referenced to a Key Vault secret using the MSTICPy configuration editor.
Your configuration when using Key Vault should look like the following:
DataProviders:
Sumologic:
Args:
connection_str: Sumologic_url_endpoint
accessid: accessid # with search permissions to connect
accesskey:
KeyVault:
Loading a QueryProvider for Sumologic
qry_prov = QueryProvider("Sumologic")
Connecting to Sumologic
The parameters required for connection to Sumologic can be passed in a number of ways. The simplest is to configure your settings in msticpyconfig. You can then just call connect with no parameters.
Alternatively, you can pass the required connection parameters to the driver as parameters to the driver.
qry_prov.connect()
If you have configured multiple instances you must specify an instance name when you call connect.
qry_prov.connect(instance="Tenant2")
Running a Sumologic query
Sumologic supports a number of optional query time parameters.
Details of those parameters can be found here
msticpy.data.drivers.sumologic_driver.query()
sumologic_query = """
*
| formatDate(_messageTime,"yyyy/dd/MM HH:mm:ss") as date
| first(date), last(date) by _sourceCategory
| count _sourceCategory,_first,_last
| sort -_count
""""
df = sumologic_prov.exec_query(sumologic_query, days=0.0005, verbosity=3)
df.head()
sumologic_query = "_index=WINDOWS | count _sourceCategory,hostname"
df = sumologic_prov.exec_query(
sumologic_query,
start=datetime.now() - timedelta(days=6.001),
end=datetime.now() - timedelta(days=6)
)
df.head()
Other Sumologic Documentation
For examples of using the Sumologic provider, see the sample Sumologic Notebook<https://github.com/microsoft/msticpy/blob/master/docs/notebooks/Sumologic-DataConnector.ipynb>
Built-in Queries for Sumologic.