Skip to main content
Sumo Logic is one connection that covers two kinds of telemetry: logs and metrics. Investigations query it to see what your services were doing around the time of an incident — the log lines a service was emitting, and the metric that moved.
You connect Sumo Logic directly, with an Access ID, Access Key, and your deployment region. A single connection brings both capabilities, and you choose which ones investigations can use.

What we support

Connecting Sumo Logic gives investigations two capabilities, each of which you enable independently:
CapabilityWhat it queries
LogsLog lines from your services, and trends derived from those logs
MetricsTime-series metrics, graphed for the incident window

Logs

Investigations search your logs with the Sumo Logic search query language to read what a service was logging at the time of an incident — the errors, the warnings, the request that failed. They scope each search to the source categories that matter and filter on Sumo Logic’s built-in _loglevel field, which is the reliable way to find error-level logs: a bare error keyword also matches lines carrying fields like error_count=0, so it isn’t a dependable level filter. They can also turn those logs into time-series, so you get a graph of an error rate climbing or request volume dropping away even where you never set up a dedicated metric. This is the same log data, aggregated over time rather than read line by line.

Metrics

Investigations query your Sumo Logic metrics and graph them for the incident’s time window, so a CPU saturation, a latency change, or a queue backing up shows up against the period that matters. Queries are grounded in the metric names and dimensions that actually exist in your account, so investigations filter and group by the dimensions you really have rather than guessing at labels. Investigations learn the structure of your Sumo Logic data — your source categories and fields, and your metric names and dimensions — automatically. How that works is covered in How telemetry works.
Traces aren’t supported yet. If your team relies on Sumo Logic tracing, get in touch — it’s on our roadmap.

Connecting Sumo Logic

You connect Sumo Logic directly. There’s no provider in front of it — one connection covers both capabilities. What you’ll need:
  • A Sumo Logic Access ID and Access Key, created under Administration → Security → Access Keys. An access key isn’t scoped on its own — it inherits the role capabilities of the user that owns it. So you control what we can do through that user’s role, and we recommend creating a dedicated service account for the connection rather than tying it to a person.
  • A role for that user that grants the capabilities each enabled capability needs. Investigations only ever read from Sumo Logic, so these are all view/read capabilities — no management or write access is required:
    • For logsDownload Search Results (this is the capability that lets us run searches and read the results) and View Collectors (the connection test lists a collector to confirm the credentials and region, so this is needed even before any search runs). We also read your partitions and fields to learn how your data is structured, which needs view access to your account’s data.
    • For metrics — the Metrics capability.
  • Your deployment region — the API endpoint for the pod your account lives on. This is https://api.sumologic.com for US1, and https://api.<region>.sumologic.com for the others (for example https://api.eu.sumologic.com or https://api.us2.sumologic.com). The region must match your account, because Sumo Logic doesn’t carry credentials across regions; connecting against the wrong one fails the connection test. Sumo Logic lists every pod in its API endpoint reference.
  1. From the Investigations settings, add a telemetry data source and choose Sumo Logic.
  2. Enter your Access ID, Access Key, and deployment region, then test the connection.
  3. Choose whether investigations can use logs, metrics, or both.
Connecting Sumo Logic adds two data sources — one for logs and one for metrics — that mirror Sumo Logic’s two query surfaces. Both are enabled by default once you connect, and you can toggle each independently. Turn off either one you don’t want investigations to query.

Best practice

  • Connect with a dedicated service account rather than a personal access key, so the connection keeps working when people move teams. Give its role only the capabilities the connection needs — Download Search Results and View Collectors for logs, and Metrics for metrics — so the credentials stay scoped to reading the data investigations query.
  • Scope your searches with source categories. Sumo Logic caps a single raw log search at 100,000 messages, so a narrow _sourceCategory filter returns complete results where an unscoped search over a wide window can be truncated. Investigations do this for you, and it works best when your source categories are meaningful.
  • Enable both logs and metrics. With both connected, an investigation can move from a metric that moved to the log lines behind it, rather than seeing only one half of the picture.

Telemetry overview

How data sources and capabilities fit together.

How telemetry works

Routing, query planning, guidance, and memory.