Download Sumo Logic User Guide

About Scheduled Views
A Scheduled View is a pre-aggregated index of a subset of data. After building a Scheduled View, you'll be able to
run queries against that data set. Because the data is pre-aggregated, meaning that query you'll use to create a
Scheduled View contains an aggregate function, search results return much quicker. Additionally, queries run
against a Scheduled View cannot time out. Queries that run against Views can be used in scheduled searches,
Dashboards, and in ad hoc searches.
The ability to run a query against historial data in a View means your team can uncover long-term trends and build
Dashboards that include a large amount data without sacrificing performance. You can include data dated to the
very beginning of your retention period. For example, if your organization has a 60-day retention period, you can
use data from two months ago in your searches.
Because Scheduled Views add data on a one minute rolling schedule, you'll know that search results include
recent log messages. Think of a Scheduled View as query that uses a one-minute timeslice to aggregate data. If
you run a 60-minute search against a Scheduled View, you can expect 60 results (one for each one-minute
aggregation).
How data is added to a Scheduled View
As data is being ingested into Sumo Logic, it's constantly being checked for how it should be handled. First, data is
routed to any Partitions where it should be indexed. Then, data is checked against Scheduled Views; any data that
matches the Views are indexed.
Data can be in a Partition and in a Scheduled View because the two tools are used differently (and are indexed
separately). And, even though Partitions are indexed first, this architecture does not slow the indexing of
Scheduled Views. Every minute, the query is run against the data routed to the Scheduled View, and then the
results are indexed.
How are Scheduled Views different than Partitions and Sumo Logic Indices?
Scheduled Views are different from Partitions in that they backfill with aggregate data, meaning that all data that
extends back to the start date of the View query is added to the View.
Partitions, however, begin building a non-aggregate index from the date a Partition is started, only indexing data
moving forward. Sumo Logic Indices are automatically created by Sumo Logic to deliver a specific data set that
cannot be edited.
Desiging Scheduled Views
Scheduled Views are great for identifying long term trends. With that in mind, it's important to consider the uses that
make the most sense for your organiation, and build out a set of Scheduled Views that are general enough to be
practical, yet specific enough to provide targeted search results.
294