Sumologic Provider

Sumologic Configuration

You can store your connection details in msticpyconfig.yaml.

For more information on using and configuring msticpyconfig.yaml see msticpy Package Configuration and MSTICPy Settings Editor

The settings in the file should look like the following:

DataProviders:
  Sumologic:
    Args:
      connection_str: Sumologic_url_endpoint
      accessid: accessid   # with search permissions to connect
      accesskey: accesskey

We strongly recommend storing the client secret value in Azure Key Vault. You can replace the text value with a referenced to a Key Vault secret using the MSTICPy configuration editor.

Your configuration when using Key Vault should look like the following:

DataProviders:
  Sumologic:
    Args:
      connection_str: Sumologic_url_endpoint
      accessid: accessid   # with search permissions to connect
      accesskey:
        KeyVault:

Loading a QueryProvider for Sumologic

qry_prov = QueryProvider("Sumologic")

Connecting to Sumologic

The parameters required for connection to Sumologic can be passed in a number of ways. The simplest is to configure your settings in msticpyconfig. You can then just call connect with no parameters.

Alternatively, you can pass the required connection parameters to the driver as parameters to the driver.

qry_prov.connect()

If you have configured multiple instances you must specify an instance name when you call connect.

qry_prov.connect(instance="Tenant2")

Running a Sumologic query

Sumologic supports a number of optional query time parameters. Details of those parameters can be found here msticpy.data.drivers.sumologic_driver.query()

sumologic_query = """
    *
    | formatDate(_messageTime,"yyyy/dd/MM HH:mm:ss") as date
    | first(date), last(date) by _sourceCategory
    | count _sourceCategory,_first,_last
    | sort -_count
    """"
df = sumologic_prov.exec_query(sumologic_query, days=0.0005, verbosity=3)
df.head()
sumologic_query = "_index=WINDOWS | count _sourceCategory,hostname"
df = sumologic_prov.exec_query(
    sumologic_query,
    start=datetime.now() - timedelta(days=6.001),
    end=datetime.now() - timedelta(days=6)
)
df.head()

Other Sumologic Documentation

For examples of using the Sumologic provider, see the sample Sumologic Notebook<https://github.com/microsoft/msticpy/blob/master/docs/notebooks/Sumologic-DataConnector.ipynb>

Built-in Queries for Sumologic.

Sumologic driver API documentation