Sumo Logic
Sumo Logic is the next generation log management and analytics company that leverages Big Data for real-time IT insights. The company’s cloud-based service provides customers with real-time interactive analytics at unprecedented petabyte scale.
How it works
When a test meets a specified threshold in Sumo Logic, it sends a JSON-formatted webhook to xMatters. A Sumo Logic trigger in xMatters parses the webhook and initiates a flow. The webhook includes essential alert data you can use to enrich notifications to users or when building automated tasks.
Install the workflow
Here's how to install the Sumo Logic workflow through the xMatters one-click installation process. If you already installed the previous, built-in version of the integration, you can find instructions here.
- Go to the Workflow Templates page and click the Sumo Logic tile.
- On the Set up the Workflow tab, give the workflow a name that identifies its purpose (this must be unique in your instance), add an optional description, and set the default incident type (if applicable). Any built-in Initiate Incident steps in the workflow will automatically be set to the selected incident type.
- You can edit these later, if needed.
- You can edit these later, if needed.
- Click Next to set up the connection.
- Choose the authentication method. A trigger URL is generated based on the selected authentication method.
- Copy the trigger URL — you’ll use this to configure the webhook in Sumo Logic.
- The trigger URL includes the recipients parameter, which specifies who should be notified. By default, this parameter is set to notify you (the logged in user), but you can set it to target any user or group you want.
- The trigger URL includes the recipients parameter, which specifies who should be notified. By default, this parameter is set to notify you (the logged in user), but you can set it to target any user or group you want.
- You can copy the Configuration Payload to configure the signal in the source application.
- Send a test signal to the trigger URL to test the connection.
- Click Open Workflow to view and customize the workflow, or Close to return to the Workflows page.
Configure Sumo Logic to send requests to the trigger URL
To have Sumo Logic send alerts to the flow trigger, you need to configure a webhook and set it to use the trigger URL.
Configure the webhook
- In Sumo Logic navigate to the left-hand menu, expand Manage Data then select Alerts.
- Select the Connections tab then click on the + button in the tab to open the Select Connection Type page.
- On the Select Connection Type page, select Webhook.
- On the Create Webhook Connection page, fill in the following fields:
- Name: Give your webhook a unique, descriptive name.
- Description (optional): Describe the purpose of your webhook.
- URL: Paste the trigger URL you copied from Flow Designer. Add the target names of any recipients you want to notify when the alert fires to the end of the URL.
- For URL authentication, use an ampersand to attach recipients. For example, if you want to notify Emma Pearson and the on-call members in the group responsible for the Antares service, you'd add &recipients=epearson,antares to the URL.
- For other authentication types, use a question mark to attach recipients. For example, if you want to notify Barry Gull and the on-call members in the group responsible for the Cassiopeia service, you'd add ?recipients=bgull,cassiopeia to the URL.
- You must URL-encode any special characters or spaces in the target names.
- Authorization Header (optional): If you want to use Basic Authentication, you must Base64 encode your username and password. See the Sumo Logic documentation for instructions on how to fill in the Authorization Header field.
- Custom Headers (optional): You may enter up to five comma-separated key-value pairs, or leave this field blank.
- Payload: Paste the following Configuration Payload you copied from the Sumo Logic Alerts trigger in Flow Designer:Copy
{
"description": "{{Description}}",
"fire_time": "{{FireTime}}",
"id": "{{Id}}",
"name": "{{Name}}",
"num_query_results": "{{NumQueryResults}}",
"query_url": "{{QueryUrl}}",
"trigger_condition": "{{TriggerCondition}}",
"trigger_type": "{{TriggerType}}",
"query": "{{Query}}"
}
- To check that the webhook was created successfully and that alerts go to the right recipients, click Test Connection.
- Click Save to create the webhook.
You're ready to use the webhook to trigger automated flows, including steps such as sending alerts and initiating incidents, though we always recommend testing before putting things into use.
Set recipients in the trigger URL
The trigger expects the recipients in the trigger URL. When you copy the URL from xMatters, it includes the recipients parameter: recipients=<yourname>. Of course, you don’t want to receive all the alerts.
To change the recipients for alerts from this webhook, swap out your name for the people or groups you want to target. The encoding used to add the recipient target names is based on the type of authentication you select in Flow Designer.
- For URL authentication, use an ampersand to attach recipients. For example, if you want to notify Emma Pearson and the on-call members in the group responsible for the Antares service, you'd add &recipients=epearson,antares to the URL.
- For other authentication types, use a question mark to attach recipients. For example, if you want to notify Barry Gull and the on-call members in the group responsible for the Cassiopeia service, you'd add ?recipients=bgull,cassiopeia to the URL.
Remember to URL-encode any special characters, including spaces, in your group names.
We recommend using groups so you can take advantage of the xMatters group features — rotations, escalations, and absences — to reach the right on-call people to jump on an issue.
How to use the workflow
When a condition you've set fires, it sends a signal to xMatters, which creates an alert and notifies the individual or the on-call members of the people or groups you set as recipients in the webhook URL. When the trigger receives a signal saying the issue is resolved, it automatically terminates related alerts in xMatters.
Notification responses and associated actions
The person responding to the notification has the following response options:
- Acknowledge: Acknowledges the notifications and stops escalations.
- Escalate: Immediately escalates the alert to the next on-call resolver in a targeted group.
- Close: Ends the xMatters alert and stops notifying all targeted recipients.
- Initiate Incident: Initiates an incident in xMatters.
Next Steps
Now that you've installed the Sumo Logic workflow, you can use it as-is, or customize it to suit your needs better. Here are some examples of things you can add to the workflow to customize it:
- Use Slack, Zoom, and Microsoft Teams steps to add collaboration channels to the flow.
- Change the severity of incidents created when a recipient selects the Initiate Incident response.
- Update the message sent to resolvers to include the information most relevant to your team.
- Use the Sumo Logic trigger to build your own custom flows.
Previous versions
While the previous, built-in version of this integration is no longer available, the instructions for it are included below for anyone who has it installed in their system already. Due to changes in Sumo Logic, the payload provided in this version is no longer valid and will generate errors if submitted.
Get started with Sumo Logic
Sumo Logic is the next generation log management and analytics company that leverages Big Data for real-time IT insights. The company’s cloud-based service provides customers with real-time interactive analytics at unprecedented petabyte scale.
Sumo Logic scheduled search alerts trigger xMatters notifications with responses that can be integrated into all of your IT tools, replacing manual steps in your incident management process.
Do more with this integration
Incorporate this integration into your orchestrated incident resolution workflows with Flow Designer. After you create a configuration, the Flows tab appears. From there, you can build your flows — add new response options, connect to other apps, or even create new xMatters alerts based on activities in the flow — enriching the information injected by this integration along the way.
How to install a built-in workflow
To install this integration in xMatters, simply go to Workflow Templates on the Workflows tab and start typing the name of the integration you're looking for to filter the list. Once you find it, click its tile then click Next to get to the configuration screen.
How to set up a Sumo Logic configuration
After you give your configuration a name and description, type a name to use when sending alerts (so you can easily tell which configuration or integration the alerts are from), and add all of the users and groups you want to be notified.
Once you save the configuration, xMatters displays the URL and payload you need to configure Sumo Logic.
Now you just need to create a webhook connection in Sumo Logic that targets the URL, and add that webhook as an alert type to a saved search.
How to use this integration in Sumo Logic
- In Sumo Logic, click Manage > Connections, and then click Add > Webhook.
- In the Create Webhook Connection window, type a name (e.g., "xMatters") and a description, and then copy and paste your configuration's URL and Payload.
- Click Save to create the webhook connection.
- To add this connection to a search, enter your search criteria into the search bar and then click the Save As link.
- Add a name and description, and then click the Schedule this search link.
- Set the frequency and other details for your search.
- Set the Run frequency to Real Time to ensure that, as the results are found, the information is immediately sent to xMatters.
- In the Alert Type drop-down list, select Webhook.
- In the Webhook drop-down list, select the xMatters connection you just created.
- The Payload field should be automatically populated.
- Click Save.
xMatters will now notify your specified recipients whenever the search is triggered! Check out the screenshots at the top of this section to see what the notifications would look like in the xMatters mobile app.
Use your integration
Testing the integration depends on the nature of the collector, the search criteria and the infrastructure. The following test scenario assumes a file called "mysumo.log" is collected by a collector.
To test the integration:
Open a terminal to the target box, and type the following into the command line:
$ echo "$(date +"%b %d %T") The cookies are on fire. Save the butter" | cat >> /var/log/mysumo.log
Shortly after, a new entry is displayed in the Sumo Logic interface marking the new information.
.png)
A new alert is created in xMatters targeting the recipient in the form layout. Here's an example of an email or push message alert:
.png)
Troubleshooting
The first place to look is the Activity Stream for the integration (click the gear icon and select Open Activity Stream). If there is an entry here, the request reached xMatters. Inspect the details for any errors.
If there is no entry here, then the request didn't reach xMatters. Review the xMatters Connection webhook in Sumo Logic and verify the Authorization and URL fields.
Extending your integration
Looking to do more with xMatters and Sumo Logic? If you want to tailor the settings and notifications for the integration, you can convert it to a custom workflow.
Switch to Basic authentication
After you convert the integration to a custom workflow, you can configure it to use Basic authentication instead of URL authentication. If you switch the authentication from URL to Basic, you need to update the xMatters webhook in Sumo Logic to include an authorization header with the base64-encoded username and password of the integration user you created above.
You can create this value by following the instructions below:
- Go to https://www.base64encode.org/.
- In the “Encode to Base64 format” area, type the username and password of the integration user, separated by a colon (for example, sumologic:UDQw9awK)
- Click Encode, and copy the result.
Example: c3Vtb2xvZ2ljOnBhc3N3b3Jk