Sumo Logic Query Tool

A lightweight Ruby CLI for querying Sumo Logic logs and metadata. Simple, fast, read-only access to your logs.

Features

Simple time parsing - Use -1h, -30m, now instead of timestamps
Dynamic source discovery - Find CloudWatch/ECS/Lambda sources from logs
Interactive mode - Explore logs with FZF fuzzy search
Timezone support - US, Australian, and IANA formats
Fast & efficient - Smart polling and pagination
Read-only - Safe log access with no write operations

Installation

# Via RubyGems
gem install sumologic-query

# Via Homebrew
brew tap patrick204nqh/tap
brew install sumologic-query

Quick Start

1. Set Credentials

export SUMO_ACCESS_ID="your_access_id"
export SUMO_ACCESS_KEY="your_access_key"
export SUMO_DEPLOYMENT="us2"  # Optional: us1, us2 (default), eu, au

Get credentials: Sumo Logic → Administration → Security → Access Keys

2. Run Queries

# Search logs
sumo-query search -q 'error' -f '-1h' -t 'now' --limit 100

# Discover dynamic sources (CloudWatch/ECS/Lambda)
sumo-query discover-sources

# List collectors and sources
sumo-query collectors
sumo-query sources

Commands

1. Search Logs

sumo-query search -q "YOUR_QUERY" -f "START" -t "END" [OPTIONS]

Options:

-q, --query - Query string (required)
-f, --from - Start time (required, e.g., -1h, 2025-11-19T14:00:00)
-t, --to - End time (required, e.g., now)
-z, --time-zone - Timezone (default: UTC)
-l, --limit - Max messages to return
-o, --output - Save to file
-i, --interactive - Launch FZF browser
-d, --debug - Debug output

Interactive Mode (-i): FZF-based browser with fuzzy search, preview, and multi-select. Requires fzf (install).

2. Discover Dynamic Sources

sumo-query discover-sources [OPTIONS]

Finds dynamic source names from log data (CloudWatch, ECS, Lambda streams).

Options:

-f, --from - Start time (default: -24h)
-t, --to - End time (default: now)
--filter - Filter query (e.g., _sourceCategory=*ecs*)
-z, --time-zone - Timezone (default: UTC)
-o, --output - Save to file

Examples:

# Discover all sources from last 24 hours
sumo-query discover-sources

# Filter to ECS only
sumo-query discover-sources --filter '_sourceCategory=*ecs*'

# Last 7 days, save to file
sumo-query discover-sources -f '-7d' -o sources.json

3. List Collectors & Sources

# List collectors
sumo-query collectors [-o FILE]

# List static sources
sumo-query sources [-o FILE]

Time Formats

# Relative (recommended)
-1h, -30m, -7d, now

# ISO 8601
2025-11-19T14:00:00

# Unix timestamp
1700000000

# Timezones
UTC, AEST, EST, America/New_York, Australia/Sydney, +10:00

See examples/queries.md for comprehensive query patterns.

Ruby Library

require 'sumologic'

client = Sumologic::Client.new(
  access_id: ENV['SUMO_ACCESS_ID'],
  access_key: ENV['SUMO_ACCESS_KEY']
)

# Search
client.search(query: 'error', from_time: '-1h', to_time: 'now')

# Discover sources
client.discover_dynamic_sources(from_time: '-24h', to_time: 'now')

# Metadata
client.list_collectors
client.list_all_sources

Documentation

Query Examples - Query patterns and examples
Quick Reference - Command cheat sheet
Rate Limiting - Performance tuning
Architecture - Design decisions

Contributing

See CONTRIBUTING.md for guidelines.

License

MIT License - see LICENSE file.

sumologic-query

Development

Runtime