diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md new file mode 100644 index 0000000000..57f3f78ea6 --- /dev/null +++ b/docs/get-started/sumo-logic-limits.md @@ -0,0 +1,221 @@ +--- +id: sumo-logic-limits +title: Sumo Logic Limits and Quotas Reference +sidebar_label: Limits and Quotas +description: A comprehensive reference of quotas, limitations, and maximum values across Sumo Logic services. +--- + +This page lists the baseline limits and quotas for various features, services, and components within Sumo Logic. + +## Alerts and monitors + +- **[Maximum number of monitors (active and inactive)](/docs/alerts/monitors/monitor-faq/#is-there-a-limit-to-the-number-of-monitors-i-can-have)**. Up to 5,000 (can be increased by contacting support). +- **[Email notifications](/docs/alerts/monitors/overview/#general)**. Up to 100 recipients. + +### Log monitors + +| [Plan](/docs/alerts/monitors/overview/#log-monitors) | Max Log Monitors | +|:-------------------------|:-----------------| +| Enterprise, Trial | 1,000 | +| Essentials, Professional | 300 | +| Free Trial | 50 | + +- **[Query length](/docs/alerts/monitors/overview/#general)**. Up to 15,000 characters. +- **[Execution delay](/docs/alerts/monitors/overview/#general)**. 2 minutes (to allow for ingestion lag). + +### Metric monitors + +| [Plan](/docs/alerts/monitors/overview/#metrics-monitors) | Max Metric Monitors | +|:-------------------------|:--------------------| +| Enterprise, Trial | 1,500 | +| Essentials, Professional | 500 | +| Free Trial | 50 | + +- **[Aggregate monitor](/docs/alerts/monitors/overview/#general)***. Can evaluate up to 15,000 time series. +- **[Non-aggregate monitor](/docs/alerts/monitors/overview/#general)**. Can evaluate up to 3,000 time series. +- **[Execution delay](/docs/alerts/monitors/overview/#metrics-monitors)**. 1 minute. +- **[Query limit](/docs/alerts/monitors/overview/#general)**. Up to 6 queries. + +### Notification grouping + +- **[Log monitors](/docs/alerts/monitors/overview/#alerts)**. Always group notifications. +- **[Metric monitors](/docs/alerts/monitors/overview/#alerts)**. Can group notifications, resolving when all time series return to normal. + +### Unsupported features in monitors + +- **[Receipt Time](/docs/search/get-started-with-search/build-search/use-receipt-time)**. Not supported. +- **[LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) and [LogCompare](/docs/search/behavior-insights/logcompare) operators**. Not supported. +- **[Frequent](/docs/manage/partitions/data-tiers) and [Infrequent](/docs/manage/partitions/data-tiers) data tiers**. Not supported. +- **[Save to Index](/docs/alerts/scheduled-searches/save-to-index) and [Save to Lookup](/docs/alerts/scheduled-searches/save-to-lookup)**. Not supported. +- **[Search templates](/docs/search/get-started-with-search/build-search/search-templates.md)**. Not supported. +- **[`timeshift` metrics operator](/docs/metrics/metrics-operators/timeshift)**. Not supported in Metric Monitors. + +### Alert response + +- **Related Alerts and Monitor History**. Shows the top 250 alerts. +- **Alert Visualization**. Only shown for alerts less than 30 days old. +- **Alert List**. Displays up to 1,000 alerts triggered within the past 30 days. + +### Scheduled searches + +- **Maximum searches**. Up to 6,000 per account. +- **Timeout**. One-third of search range (min 3 minutes, max 120 minutes). +- **Emails per search**. Up to 120 emails per day. +- **Webhook connections**. Limited to 512 records. +- **Row extraction**. Limited to 100 unique rows per trigger. +- **Infrequent Data Tier**. Not supported. + +## Collectors and Sources + +- Maximum number of collector per organization is 10,000. +- A single installed collector can handle up to 15,000 events per second. +- Log messages greater than 64KB are truncated. +- A collector or source can have up to 10 fields. +- A collector can have up to 1,000 sources. +- Multiline logs are limited to 2000 lines or 512KB. +- Maximum of 100 processing rules per source. +- The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts. +- You are warned when you reach 80% of the Cloud-to-Cloud Sources limit (16 Sources for free accounts, and 40 Sources for other accounts). + +## Log Search + +- **Query length**. Up to 15,000 characters. +- **Results limit**. Only the first 100,000 messages are included. If your time range includes more than 100,000 messages, your source message may not be highlighted in the returned results. +- **Surrounding messages**. Also limited to 100,000. If your time range includes more than 100,000 messages, your source message may not be included in your returned results. +- **Search Job API limit parameter**. Max 10,000 records. + +### Subquery limits + +- Up to 10,000 unique results (rows) from the child query. +- Up to 100MB of memory to return those results. +- Subqueries are not supported in: + - Auto-refresh dashboards. + - Field Extraction Rules. + - Scheduled Views. + +### Metric query limits + +|Property|Limit|Error Message| +|:---|:---|:---| +|Query Rows|6|Too many query rows ([number of rows]). The limit is: [limit].| +|Query String Length|1500 chars|Too long ([queryLength] characters). The limit is: [limit].| +|Max Number of Operators|60|Too many operators: [number of operators]. The maximum number of possible operators is: [limit].| +|Max Number of Selectors|50|Too many selectors: [number of selectors]. The maximum number of possible selectors is: [limit].| +|Max Time Range|1000d|The given time range was invalid.| +|Max Quantization Interval|30d|The given quantization was too big.| +|Max Timeshift|1000d|The given timeshift was too big.| + +## Platform service + +- **Playbook actions**. Limited to 350 actions per hour per organization. + +## Cloud SIEM + +- **Signal limits**. Up to 100,000 signals/hour or 1 million/24 hours. + +## Field extraction + +- **Field name limit**. Up to 200 Field Extraction Rules per org. +- **Field name (key) length**. Up to 255 characters. +- **Field value length**. Up to 200 characters. +- **Custom field limit**. Up to 400 for Enterprise and Enterprise Suite users. +- **Shared quota**. Field Extraction Rule and metadata fields share the 200-field limit. +- **Subqueries**. Not supported. +- **HTTP request field limit**. Up to 30 fields. + +## Partitions + +- **Maximum partitions**. Up to 50 per account. +- **Optimal size**. Between 1%–30% of daily ingest. Ideally, with less than 5 TB data per day flowing into each. + - Below 1% can cause index fragmentation and degraded search performance. + - Above 30% may reduce performance gains. +- **Name restrictions**. Cannot start with `sumologic_` or an underscore (`_`). +- **Routing rule length**. Up to 2048 characters. +- **Unsupported conditions**. Do not use the `NOT` operator or `sourceHost` when defining partitions. + +## Scheduled views + +- **Maximum views**. Up to 500 per account. +- **Start date**. Cannot select a date older than 365 days. +- **Unsupported**. Subqueries and Field Extraction Rules are not supported. + +## Users and roles + +- **Users**. Up to 1,000 per account. +- **Roles**. Up to 100 per account. +- **Naming**. Role names must use alphanumeric characters or underscores (`_`). +- **Free accounts**. Limited to 3 users. + +## Accounts + +### Free accounts + +- **Daily ingest**. 500 MB per day. +- **Retention**. 7 days for logs. +- **Storage**. Up to 4 GB. +- **Users**. Up to 3. +- **Continuous queries**. Up to 20. +- **Dashboard panel time range**. Up to 7 days. + +### Trial accounts + +- **Daily ingest**. 1 GB per day. +- **Retention**. 30 days for logs. +- **Users**. Up to 20 users. + +### Essentials and Enterprise accounts + +- **Retention**. Varies based on subscription. +- **Users**. Can be scaled to meet organizational needs. + +### Cloud Flex Legacy accounts + +- **Collectors**. Maximum of 10,000 Collectors per organization. +- **Sources**. Maximum of 1,000 Sources per Collector. +- **Processing Rules**. Maximum of 100 Processing Rules per Source. +- **Continuous Queries**. Maximum of 200 queries per organization (excluding Free accounts). + +### Flex accounts + +#### Free flex accounts + +- **Daily Credit Allocation**. 1.25 credits per day. +- **Retention**. 7 days for logs. +- **Users**. Limited to 3 users. + +#### Trial flex accounts + +- **Daily Credit Allocation**. 1 GB per day. +- **Retention**. 30 days for logs. +- **Users**. Up to 20 users. + +## Dashboards + +- **Panel queries**. Up to 6 log and 6 metric queries. +- **Queries per dashboard**. Up to 100. +- **Data points per query**. Dashboard queries cannot return more than 1,440 data points. +- **Query length**. Queries built for dashboards/panels have a limit of 10,240 characters. +- **Time range**. Up to 32 days per panel. +- **PDF Export timeout**. Will timeout after 5 minutes if a panel takes too long to load. +- **Template variable queries**. Up to 10 concurrent queries per user. +- **External sharing**. Dashboards shared outside an organization are view-only. +- **Time range support**. Only relative time supported (e.g., Last 15 Minutes). Absolute time ranges are not supported. + +## SLO + +- **Data Retention**. 800 days. + +## Metric + +### Metric retention + +| Data Type Retained | Retention Period | +|:--|:--| +| Raw | 30 days | +| 1-hour resolution | 13 months | + +### Host metric source limits + +- **Disk metrics**. Approximately 10 metrics are collected for each Source disk on each host. +- **Network metrics**. Network metrics are calculated per interface on each host, and approximately 4 metrics per interface are collected. +- **CPU, memory, and TCP metrics**. Approximately 10 CPU, memory, and TCP metrics are collected for each host. diff --git a/sidebars.ts b/sidebars.ts index f4399a1895..2b8990b9e3 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -32,6 +32,7 @@ module.exports = { 'get-started/apps-integrations', 'get-started/library', 'get-started/system-requirements', + 'get-started/sumo-logic-limits', 'get-started/ai-machine-learning', 'get-started/keyboard-shortcuts', 'get-started/training-certification-faq',