From 5567f59a72ba02f077a602e4322b441e5af6425b Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 7 May 2025 15:44:45 +0530 Subject: [PATCH 01/11] Sumo Logic Limits document --- docs/get-started/sumologic-limits.md | 220 +++++++++++++++++++++++++++ sidebars.ts | 1 + 2 files changed, 221 insertions(+) create mode 100644 docs/get-started/sumologic-limits.md diff --git a/docs/get-started/sumologic-limits.md b/docs/get-started/sumologic-limits.md new file mode 100644 index 0000000000..729c6d319e --- /dev/null +++ b/docs/get-started/sumologic-limits.md @@ -0,0 +1,220 @@ +--- +id: sumologic-limits +title: Sumo Logic Limits +sidebar_label: Sumo Logic Limits +description: Learn about the limitation of Sumo Logic objects. +--- + +This documents list all the maximum permissible limits for different Sumo Lpgic objects. + +## Alerts and Monitors + +### Log monitors + +- **Enterprise and Trial plan customers**. Up to 1,000 log monitors. +- **Essentials and Professional plan customers**. Up to 300 log monitors. +- **Free Trial customers**. Up to 50 log monitors. +- **Log Monitor Query Length**. Up to 15,000 characters. +- **Execution Delay**. 2 minutes (to account for ingestion delays). + +### Metric monitors + +- **Enterprise and Trial plan customers**. Up to 1,500 metric monitors. +- **Essentials and Professional plan customers**. Up to 500 metric monitors. +- **Free Trial customers**. Up to 50 metric monitors. +- **Aggregate Metric Monitor**. Can evaluate up to 15,000 time series. +- **Non-aggregate Metric Monitor**. Can evaluate up to 3,000 time series. +- **Execution Delay**. 1 minute. +- **Metric Monitor Query**. Up to 6 queries. + +### General monitor limits + +- **Maximum number of monitors (active and inactive)**. Up to 5,000 (can be increased by contacting support). +- **Email notifications**. Up to 100 recipients. + +### Notification grouping + +- Log monitors always group notifications. +- Metric monitors can group notifications, resolving when all time series return to normal. + +### Unsupported features in monitors + +- [Receipt Time](../../search/get-started-with-search/build-search/use-receipt-time.md) is not supported. +- [LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) and [LogCompare](/docs/search/behavior-insights/logcompare) operators are not supported. +- Monitors only support the Continuous data tier. +- [Save to Index](../scheduled-searches/save-to-index.md) and [Save to Lookup](../scheduled-searches/save-to-lookup.md) are not supported. +- [Search templates](../../search/get-started-with-search/build-search/search-templates.md) are not supported. +- [`Timeshift metrics`](/docs/metrics/metrics-operators/timeshift) operator is not supported in Metric Monitors. + +### Alert response + +- **Related Alerts and Monitor History**. Shows the top 250 alerts. +- **Alert Visualization**. Only shown for alerts less than 30 days old. +- **Alert List**. Displays up to 1,000 alerts triggered within the past 30 days. + +### Scheduled searches + +- A maximum of 6,000 Scheduled Searches are allowed per account. +- The timeout for a Scheduled Search is equivalent to 1/3rd of the search's time range, with a minimum timeout of 3 minutes and a maximum timeout of 120 minutes. +- A maximum of 120 emails can be sent per day per Scheduled Search. +- No more than 512 records returned by a Scheduled Search run are used for webhook connections. +- Scheduled Searches are limited to extracting 100 unique rows of data each time they trigger. +- Scheduled Searches *cannot* be used on the Infrequent Tier. + +## Collectors and Sources + +- Maximum number of collector per organization is 10,000. +- A single installed collector can handle up to 15,000 events per second. +- Log messages greater than 64KB are truncated. +- A collector or sources can have up to 10 fields. +- A collector can have up to 1,000 sources. +- Multiline logs are limited to 2000 lines or 512KB. +- Maximum of 100 processing rules per source. +- The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts. +- You are warned when you reach 80% of the limit (16 Sources for free accounts, and 40 Sources for other accounts). + +## Log Search + +- Search queries are limited to 15,000 characters for search queries. +- Only the first 100,000 messages will be included in your search results. If your time range includes more than 100,000 messages, your source message may not be highlighted in the returned results. +- Surrounding messages are limited to the first 100,000 messages. If your time range includes more than 100,000 messages, your source message may not be included in your returned results. +- The maximum value for the limit parameter in the Search Job API is 10,000 records. + +### Subquery limits + +- Maximum of 10,000 unique results (rows) from the child query. +- Limited to 100MB of memory to return those results. +- Subqueries are not supported in: + - Auto-refresh dashboards. + - Real-time Scheduled Searches. + - Field Extraction Rules. + - Scheduled Views. + +### Metric query limits + +|Property|Limit|Error Message| +|:---|:---|:---| +|Query Rows|6|Too many query rows ([number of rows]). The limit is: [limit].| +|Query String Length|1500 chars|Too long ([queryLength] characters). The limit is: [limit].| +|Max Number of Operators|60|Too many operators: [number of operators]. The maximum number of possible operators is: [limit].| +|Max Number of Selectors|50|Too many selectors: [number of selectors]. The maximum number of possible selectors is: [limit].| +|Max Time Range|1000d|The given time range was invalid.| +|Max Quantization Interval|30d|The given quantization was too big.| +|Max Timeshift|1000d|The given timeshift was too big.| + +## Platform Service + +- To prevent abuse of system resources or runaway processes the number of playbook actions your organization can execute to 350 per hour. + +## Cloud SIEM + +- Limit of 100K signals per hour or 1M signals for 24 hours, + +## Field Extraction + +- Field name limit for Field Extraction Rules is limited to 200. +- A field name (key) is limited to a maximum length of 255 characters. +- A field value is limited to a maximum length of 200 characters. +- Enterprise and Enterprise Suite users can create a maximum of 400 fields. +- Subqueries are *not supported* in Field Extraction Rules. +- Fields created as log metadata and from Field Extraction Rules share the same quota of 200 fields. +- An HTTP request is limited to 30 fields. + +## Partitions + +- Maximum of 50 partitions can be created per account. +- **Optimal Size**. Between 1% and 30% of total ingest. + - Partitions smaller than 1% may cause index fragmentation and degraded search performance. + - Partitions larger than 30% are possible but may result in diminished performance gains. +- Partition names cannot start with `sumologic_` or an underscore `_`. +- Partition routing rule length cannot exceed 2048 characters. +- Do not use the `NOT` operator in partition definitions. +- Avoid using `sourceHost` to define partitions. +- Ideal partition size is less than 5 TB data per day flowing into them. + +## Scheduled Views + +- Maximum of 500 scheduled views can be created per account. +- Subqueries are not supported in Scheduled Views. +- You cannot select a start date older than 365 days. +- Field Extraction Rules are not supported in Scheduled Views. + +## Users and Roles + +- Maximum of 1000 users and 100 roles can be created per account. +- Role names can only contain alphanumeric characters and underscores `_`. +- Free accounts are limited to 3 users. + +## Accounts + +### Free account limits + +- **Daily ingest**. 500 MB per day. +- **Retention**. 7 days for logs. +- **Storage**. 4 GB total. +- **Users**. Limited to 3 users. +- **Continuous queries**. Limited to 20 queries. +- **Dashboard panel time range**. Cannot exceed 7 days. + +### Trial account limits + +- **Daily ingest**. 1 GB per day. +- **Retention**. 30 days for logs. +- **Users**. Up to 20 users. + +### Essentials and Enterprise account limits + +- **Retention**. Varies based on subscription. +- **Users**. Can be scaled to meet organizational needs. + +### Cloud Flex Legacy account limits + +- **Collectors**. Maximum of 10,000 Collectors per organization. +- **Sources**. Maximum of 1,000 Sources per Collector. +- **Processing Rules**. Maximum of 100 Processing Rules per Source. +- **Continuous Queries**. Maximum of 200 queries per organization (excluding Free accounts). + +### Flex account limits + +#### Free flex account + +- **Daily Credit Allocation**. 1.25 credits per day. +- **Retention**. 7 days for logs. +- **Users**. Limited to 3 users. + +#### Trial flex aaccounts + +- **Daily Credit Allocation**. 1 GB per day. +- **Retention**. 30 days for logs. +- **Users**. Up to 20 users. + +## Dashboards + +- Maximum of 6 log queries and 6 metric queries per panel. +- A Dashboard can have up to 100 queries. +- Dashboard queries cannot return more than 1,440 data points. +- Queries built for dashboards/panels have a limit of 10,240 characters. +- Panels are limited to a 32-day maximum time range. +- PDF export will timeout after 5 minutes if panels take too long to load. +- Template variable queries are limited to 10 concurrent queries per user. +- Dashboards shared outside the organization are view-only. +- Panels must use relative time ranges (e.g., Last 15 Minutes). Absolute time ranges are not supported. + +## SLO + +- **Data Retention**. 800 days. + +## Metric + +### Metric retention + +| Data Type Retained | Retention Period | +|:--|:--| +| Raw | 30 days | +| 1-hour resolution | 13 months | + +### Limits for host metrics sources + +- **Disk metrics**. Approximately 10 metrics are collected for each Source disk on each host. +- **Network metrics**. Network metrics are calculated per interface on each host, and approximately 4 metrics per interface are collected. +- **CPU, memory, and TCP metrics.** Approximately 10 CPU, memory, and TCP metrics are collected for each host. \ No newline at end of file diff --git a/sidebars.ts b/sidebars.ts index f4399a1895..53ff7321c5 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -32,6 +32,7 @@ module.exports = { 'get-started/apps-integrations', 'get-started/library', 'get-started/system-requirements', + 'get-started/sumologic-limits', 'get-started/ai-machine-learning', 'get-started/keyboard-shortcuts', 'get-started/training-certification-faq', From 57f1aafb6a96067d475f41d39b7a4ac6672192f5 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 7 May 2025 17:13:37 +0530 Subject: [PATCH 02/11] minor fix --- docs/get-started/sumologic-limits.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/get-started/sumologic-limits.md b/docs/get-started/sumologic-limits.md index 729c6d319e..d8c8e75957 100644 --- a/docs/get-started/sumologic-limits.md +++ b/docs/get-started/sumologic-limits.md @@ -39,11 +39,11 @@ This documents list all the maximum permissible limits for different Sumo Lpgic ### Unsupported features in monitors -- [Receipt Time](../../search/get-started-with-search/build-search/use-receipt-time.md) is not supported. +- [Receipt Time](/docs/search/get-started-with-search/build-search/use-receipt-time) is not supported. - [LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) and [LogCompare](/docs/search/behavior-insights/logcompare) operators are not supported. - Monitors only support the Continuous data tier. -- [Save to Index](../scheduled-searches/save-to-index.md) and [Save to Lookup](../scheduled-searches/save-to-lookup.md) are not supported. -- [Search templates](../../search/get-started-with-search/build-search/search-templates.md) are not supported. +- [Save to Index](/docs/alerts/scheduled-searches/save-to-index) and [Save to Lookup](/docs/alerts/scheduled-searches/save-to-lookup) are not supported. +- [Search templates](/docs/search/get-started-with-search/build-search/search-templates.md) are not supported. - [`Timeshift metrics`](/docs/metrics/metrics-operators/timeshift) operator is not supported in Metric Monitors. ### Alert response From 7cdd9f47bd02494b1ecb21f6804add0ae0ec614e Mon Sep 17 00:00:00 2001 From: Kim Pohas Date: Wed, 7 May 2025 19:42:19 -0700 Subject: [PATCH 03/11] Proposed edits to Limits doc --- docs/get-started/sumo-logic-limits.md | 223 ++++++++++++++++++++++++++ docs/get-started/sumologic-limits.md | 220 ------------------------- sidebars.ts | 4 +- 3 files changed, 225 insertions(+), 222 deletions(-) create mode 100644 docs/get-started/sumo-logic-limits.md delete mode 100644 docs/get-started/sumologic-limits.md diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md new file mode 100644 index 0000000000..044b80e3bd --- /dev/null +++ b/docs/get-started/sumo-logic-limits.md @@ -0,0 +1,223 @@ +--- +id: sumo-logic-limits +title: Sumo Logic Limits and Quotas Reference +sidebar_label: Limits and Quotas +description: A comprehensive reference of quotas, limitations, and maximum values across Sumo Logic services. +--- + +This documents list all the maximum permissible limits for different Sumo Lpgic objects. + +## Alerts and monitors + +- **Maximum number of monitors (active and inactive)**. Up to 5,000 (can be increased by contacting support). +- **Email notifications**. Up to 100 recipients. + +### Log monitors + +| Plan | Max Log Monitors | +|:-------------------------|:-----------------| +| Enterprise, Trial | 1,000 | +| Essentials, Professional | 300 | +| Free Trial | 50 | + +- **Query length**. Up to 15,000 characters. +- **Execution delay**. 2 minutes (to allow for ingestion lag). + +### Metric monitors + +| Plan | Max Metric Monitors | +|:-------------------------|:--------------------| +| Enterprise, Trial | 1,500 | +| Essentials, Professional | 500 | +| Free Trial | 50 | + +- **Aggregate monitor**. Can evaluate up to 15,000 time series. +- **Non-aggregate monitor**. Can evaluate up to 3,000 time series. +- **Execution delay**. 1 minute. +- **Query limit**. Up to 6 queries. + +### Notification grouping + +- **Log monitors**. Always group notifications. +- **Metric monitors**. Can group notifications, resolving when all time series return to normal. + +### Unsupported features in monitors + +- **[Receipt Time](/docs/search/get-started-with-search/build-search/use-receipt-time)**. Not supported. +- **[LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) and [LogCompare](/docs/search/behavior-insights/logcompare) operators**. Not supported. +- **[Frequent](/docs/manage/partitions/data-tiers) and [Infrequent](/docs/manage/partitions/data-tiers) data tiers**. Not supported. +- **[Save to Index](/docs/alerts/scheduled-searches/save-to-index) and [Save to Lookup](/docs/alerts/scheduled-searches/save-to-lookup)**. Not supported. +- **[Search templates](/docs/search/get-started-with-search/build-search/search-templates.md)**. Not supported. +- **[`timeshift` metrics operator](/docs/metrics/metrics-operators/timeshift)**. Not supported in Metric Monitors. + +### Alert response + +- **Related Alerts and Monitor History**. Shows the top 250 alerts. +- **Alert Visualization**. Only shown for alerts less than 30 days old. +- **Alert List**. Displays up to 1,000 alerts triggered within the past 30 days. + +### Scheduled searches + +- **Maximum searches**. Up to 6,000 per account. +- **Timeout**. One-third of search range (min 3 minutes, max 120 minutes). +- **Emails per search**. Up to 120 emails per day. +- **Webhook connections**. Limited to 512 records. +- **Row extraction**. Limited to 100 unique rows per trigger. +- **Infrequent Data Tier**. Not supported. + +## Collectors and Sources + + + +- Maximum number of collector per organization is 10,000. +- A single installed collector can handle up to 15,000 events per second. +- Log messages greater than 64KB are truncated. +- A collector or sources can have up to 10 fields. +- A collector can have up to 1,000 sources. +- Multiline logs are limited to 2000 lines or 512KB. +- Maximum of 100 processing rules per source. +- The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts. +- You are warned when you reach 80% of the limit (16 Sources for free accounts, and 40 Sources for other accounts). + +## Log Search + +- **Query length**. Up to 15,000 characters. +- **Results limit**. Only the first 100,000 messages are included. If your time range includes more than 100,000 messages, your source message may not be highlighted in the returned results. +- **Surrounding messages**. Also limited to 100,000. If your time range includes more than 100,000 messages, your source message may not be included in your returned results. +- **Search Job API limit parameter**. Max 10,000 records. + +### Subquery limits + +- Up to 10,000 unique results (rows) from the child query. +- Up to 100MB of memory to return those results. +- Subqueries are not supported in: + - Auto-refresh dashboards. + - Field Extraction Rules. + - Scheduled Views. + +### Metric query limits + +|Property|Limit|Error Message| +|:---|:---|:---| +|Query Rows|6|Too many query rows ([number of rows]). The limit is: [limit].| +|Query String Length|1500 chars|Too long ([queryLength] characters). The limit is: [limit].| +|Max Number of Operators|60|Too many operators: [number of operators]. The maximum number of possible operators is: [limit].| +|Max Number of Selectors|50|Too many selectors: [number of selectors]. The maximum number of possible selectors is: [limit].| +|Max Time Range|1000d|The given time range was invalid.| +|Max Quantization Interval|30d|The given quantization was too big.| +|Max Timeshift|1000d|The given timeshift was too big.| + +## Platform service + +- **Playbook actions**. Limited to 350 actions per hour per organization. + +## Cloud SIEM + +- **Signal limits**. Up to 100,000 signals/hour or 1 million/24 hours. + +## Field extraction + +- **Field name limit**. Up to 200 Field Extraction Rules per org. +- **Field name (key) length**. Up to 255 characters. +- **Field value length**. Up to 200 characters. +- **Custom field limit**. Up to 400 for Enterprise and Enterprise Suite users. +- **Shared quota**. Field Extraction Rule and metadata fields share the 200-field limit. +- **Subqueries**. Not supported. +- **HTTP request field limit**. Up to 30 fields. + +## Partitions + +- **Maximum partitions**. Up to 50 per account. +- **Optimal size**. Between 1%–30% of daily ingest. Ideally, with less than 5 TB data per day flowing into them. + - Below 1% can cause index fragmentation and degraded search performance. + - Above 30% may reduce performance gains. +- **Name restrictions**. Cannot start with `sumologic_` or an underscore (`_`). +- **Routing rule length**. Up to 2048 characters. +- **Unsupported conditions**. Do not use the `NOT` operator or `sourceHost` when defining partitions. + +## Scheduled views + +- **Maximum views**. Up to 500 per account. +- **Start date**. Cannot select a date older than 365 days. +- **Unsupported**. Subqueries and Field Extraction Rules are not supported. + +## Users and roles + +- **Users**. Up to 1,000 per account. +- **Roles**. Up to 100 per account. +- **Naming**. Role names must use alphanumeric characters or underscores (`_`). +- **Free accounts**. Limited to 3 users. + +## Accounts + +### Free accounts + +- **Daily ingest**. 500 MB per day. +- **Retention**. 7 days for logs. +- **Storage**. Up to 4 GB. +- **Users**. Up to 3. +- **Continuous queries**. Up to 20. +- **Dashboard panel time range**. Up to 7 days. + +### Trial accounts + +- **Daily ingest**. 1 GB per day. +- **Retention**. 30 days for logs. +- **Users**. Up to 20 users. + +### Essentials and Enterprise accounts + +- **Retention**. Varies based on subscription. +- **Users**. Can be scaled to meet organizational needs. + +### Cloud Flex Legacy accounts + +- **Collectors**. Maximum of 10,000 Collectors per organization. +- **Sources**. Maximum of 1,000 Sources per Collector. +- **Processing Rules**. Maximum of 100 Processing Rules per Source. +- **Continuous Queries**. Maximum of 200 queries per organization (excluding Free accounts). + +### Flex accounts + +#### Free flex accounts + +- **Daily Credit Allocation**. 1.25 credits per day. +- **Retention**. 7 days for logs. +- **Users**. Limited to 3 users. + +#### Trial flex accounts + +- **Daily Credit Allocation**. 1 GB per day. +- **Retention**. 30 days for logs. +- **Users**. Up to 20 users. + +## Dashboards + +- **Panel queries**. Up to 6 log and 6 metric queries. +- **Queries per dashboard**. Up to 100. +- **Data points per query**. Dashboard queries cannot return more than 1,440 data points. +- **Query length**. Queries built for dashboards/panels have a limit of 10,240 characters. +- **Time range**. Up to 32 days per panel. +- **PDF Export timeout**. Will timeout after 5 minutes if a panel takes too long to load. +- **Template variable queries**. Up to 10 concurrent queries per user. +- **External sharing**. Dashboards shared outside an organization are view-only. +- **Time range support**. Only relative time supported (e.g., Last 15 Minutes). Absolute time ranges are not supported. + +## SLO + +- **Data Retention**. 800 days. + +## Metric + +### Metric retention + +| Data Type Retained | Retention Period | +|:--|:--| +| Raw | 30 days | +| 1-hour resolution | 13 months | + +### Host metric source limits + +- **Disk metrics**. Approximately 10 metrics are collected for each Source disk on each host. +- **Network metrics**. Network metrics are calculated per interface on each host, and approximately 4 metrics per interface are collected. +- **CPU, memory, and TCP metrics**. Approximately 10 CPU, memory, and TCP metrics are collected for each host. diff --git a/docs/get-started/sumologic-limits.md b/docs/get-started/sumologic-limits.md deleted file mode 100644 index d8c8e75957..0000000000 --- a/docs/get-started/sumologic-limits.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -id: sumologic-limits -title: Sumo Logic Limits -sidebar_label: Sumo Logic Limits -description: Learn about the limitation of Sumo Logic objects. ---- - -This documents list all the maximum permissible limits for different Sumo Lpgic objects. - -## Alerts and Monitors - -### Log monitors - -- **Enterprise and Trial plan customers**. Up to 1,000 log monitors. -- **Essentials and Professional plan customers**. Up to 300 log monitors. -- **Free Trial customers**. Up to 50 log monitors. -- **Log Monitor Query Length**. Up to 15,000 characters. -- **Execution Delay**. 2 minutes (to account for ingestion delays). - -### Metric monitors - -- **Enterprise and Trial plan customers**. Up to 1,500 metric monitors. -- **Essentials and Professional plan customers**. Up to 500 metric monitors. -- **Free Trial customers**. Up to 50 metric monitors. -- **Aggregate Metric Monitor**. Can evaluate up to 15,000 time series. -- **Non-aggregate Metric Monitor**. Can evaluate up to 3,000 time series. -- **Execution Delay**. 1 minute. -- **Metric Monitor Query**. Up to 6 queries. - -### General monitor limits - -- **Maximum number of monitors (active and inactive)**. Up to 5,000 (can be increased by contacting support). -- **Email notifications**. Up to 100 recipients. - -### Notification grouping - -- Log monitors always group notifications. -- Metric monitors can group notifications, resolving when all time series return to normal. - -### Unsupported features in monitors - -- [Receipt Time](/docs/search/get-started-with-search/build-search/use-receipt-time) is not supported. -- [LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) and [LogCompare](/docs/search/behavior-insights/logcompare) operators are not supported. -- Monitors only support the Continuous data tier. -- [Save to Index](/docs/alerts/scheduled-searches/save-to-index) and [Save to Lookup](/docs/alerts/scheduled-searches/save-to-lookup) are not supported. -- [Search templates](/docs/search/get-started-with-search/build-search/search-templates.md) are not supported. -- [`Timeshift metrics`](/docs/metrics/metrics-operators/timeshift) operator is not supported in Metric Monitors. - -### Alert response - -- **Related Alerts and Monitor History**. Shows the top 250 alerts. -- **Alert Visualization**. Only shown for alerts less than 30 days old. -- **Alert List**. Displays up to 1,000 alerts triggered within the past 30 days. - -### Scheduled searches - -- A maximum of 6,000 Scheduled Searches are allowed per account. -- The timeout for a Scheduled Search is equivalent to 1/3rd of the search's time range, with a minimum timeout of 3 minutes and a maximum timeout of 120 minutes. -- A maximum of 120 emails can be sent per day per Scheduled Search. -- No more than 512 records returned by a Scheduled Search run are used for webhook connections. -- Scheduled Searches are limited to extracting 100 unique rows of data each time they trigger. -- Scheduled Searches *cannot* be used on the Infrequent Tier. - -## Collectors and Sources - -- Maximum number of collector per organization is 10,000. -- A single installed collector can handle up to 15,000 events per second. -- Log messages greater than 64KB are truncated. -- A collector or sources can have up to 10 fields. -- A collector can have up to 1,000 sources. -- Multiline logs are limited to 2000 lines or 512KB. -- Maximum of 100 processing rules per source. -- The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts. -- You are warned when you reach 80% of the limit (16 Sources for free accounts, and 40 Sources for other accounts). - -## Log Search - -- Search queries are limited to 15,000 characters for search queries. -- Only the first 100,000 messages will be included in your search results. If your time range includes more than 100,000 messages, your source message may not be highlighted in the returned results. -- Surrounding messages are limited to the first 100,000 messages. If your time range includes more than 100,000 messages, your source message may not be included in your returned results. -- The maximum value for the limit parameter in the Search Job API is 10,000 records. - -### Subquery limits - -- Maximum of 10,000 unique results (rows) from the child query. -- Limited to 100MB of memory to return those results. -- Subqueries are not supported in: - - Auto-refresh dashboards. - - Real-time Scheduled Searches. - - Field Extraction Rules. - - Scheduled Views. - -### Metric query limits - -|Property|Limit|Error Message| -|:---|:---|:---| -|Query Rows|6|Too many query rows ([number of rows]). The limit is: [limit].| -|Query String Length|1500 chars|Too long ([queryLength] characters). The limit is: [limit].| -|Max Number of Operators|60|Too many operators: [number of operators]. The maximum number of possible operators is: [limit].| -|Max Number of Selectors|50|Too many selectors: [number of selectors]. The maximum number of possible selectors is: [limit].| -|Max Time Range|1000d|The given time range was invalid.| -|Max Quantization Interval|30d|The given quantization was too big.| -|Max Timeshift|1000d|The given timeshift was too big.| - -## Platform Service - -- To prevent abuse of system resources or runaway processes the number of playbook actions your organization can execute to 350 per hour. - -## Cloud SIEM - -- Limit of 100K signals per hour or 1M signals for 24 hours, - -## Field Extraction - -- Field name limit for Field Extraction Rules is limited to 200. -- A field name (key) is limited to a maximum length of 255 characters. -- A field value is limited to a maximum length of 200 characters. -- Enterprise and Enterprise Suite users can create a maximum of 400 fields. -- Subqueries are *not supported* in Field Extraction Rules. -- Fields created as log metadata and from Field Extraction Rules share the same quota of 200 fields. -- An HTTP request is limited to 30 fields. - -## Partitions - -- Maximum of 50 partitions can be created per account. -- **Optimal Size**. Between 1% and 30% of total ingest. - - Partitions smaller than 1% may cause index fragmentation and degraded search performance. - - Partitions larger than 30% are possible but may result in diminished performance gains. -- Partition names cannot start with `sumologic_` or an underscore `_`. -- Partition routing rule length cannot exceed 2048 characters. -- Do not use the `NOT` operator in partition definitions. -- Avoid using `sourceHost` to define partitions. -- Ideal partition size is less than 5 TB data per day flowing into them. - -## Scheduled Views - -- Maximum of 500 scheduled views can be created per account. -- Subqueries are not supported in Scheduled Views. -- You cannot select a start date older than 365 days. -- Field Extraction Rules are not supported in Scheduled Views. - -## Users and Roles - -- Maximum of 1000 users and 100 roles can be created per account. -- Role names can only contain alphanumeric characters and underscores `_`. -- Free accounts are limited to 3 users. - -## Accounts - -### Free account limits - -- **Daily ingest**. 500 MB per day. -- **Retention**. 7 days for logs. -- **Storage**. 4 GB total. -- **Users**. Limited to 3 users. -- **Continuous queries**. Limited to 20 queries. -- **Dashboard panel time range**. Cannot exceed 7 days. - -### Trial account limits - -- **Daily ingest**. 1 GB per day. -- **Retention**. 30 days for logs. -- **Users**. Up to 20 users. - -### Essentials and Enterprise account limits - -- **Retention**. Varies based on subscription. -- **Users**. Can be scaled to meet organizational needs. - -### Cloud Flex Legacy account limits - -- **Collectors**. Maximum of 10,000 Collectors per organization. -- **Sources**. Maximum of 1,000 Sources per Collector. -- **Processing Rules**. Maximum of 100 Processing Rules per Source. -- **Continuous Queries**. Maximum of 200 queries per organization (excluding Free accounts). - -### Flex account limits - -#### Free flex account - -- **Daily Credit Allocation**. 1.25 credits per day. -- **Retention**. 7 days for logs. -- **Users**. Limited to 3 users. - -#### Trial flex aaccounts - -- **Daily Credit Allocation**. 1 GB per day. -- **Retention**. 30 days for logs. -- **Users**. Up to 20 users. - -## Dashboards - -- Maximum of 6 log queries and 6 metric queries per panel. -- A Dashboard can have up to 100 queries. -- Dashboard queries cannot return more than 1,440 data points. -- Queries built for dashboards/panels have a limit of 10,240 characters. -- Panels are limited to a 32-day maximum time range. -- PDF export will timeout after 5 minutes if panels take too long to load. -- Template variable queries are limited to 10 concurrent queries per user. -- Dashboards shared outside the organization are view-only. -- Panels must use relative time ranges (e.g., Last 15 Minutes). Absolute time ranges are not supported. - -## SLO - -- **Data Retention**. 800 days. - -## Metric - -### Metric retention - -| Data Type Retained | Retention Period | -|:--|:--| -| Raw | 30 days | -| 1-hour resolution | 13 months | - -### Limits for host metrics sources - -- **Disk metrics**. Approximately 10 metrics are collected for each Source disk on each host. -- **Network metrics**. Network metrics are calculated per interface on each host, and approximately 4 metrics per interface are collected. -- **CPU, memory, and TCP metrics.** Approximately 10 CPU, memory, and TCP metrics are collected for each host. \ No newline at end of file diff --git a/sidebars.ts b/sidebars.ts index 53ff7321c5..84440aa382 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -32,7 +32,7 @@ module.exports = { 'get-started/apps-integrations', 'get-started/library', 'get-started/system-requirements', - 'get-started/sumologic-limits', + 'get-started/sumo-logic-limits', 'get-started/ai-machine-learning', 'get-started/keyboard-shortcuts', 'get-started/training-certification-faq', @@ -3039,7 +3039,7 @@ integrations: [ 'security/threat-intelligence/threat-intelligence-indicators', 'security/threat-intelligence/upload-formats', ], - }, + }, ], api: [ { From 1e1ab4df72d3bac1f796835fc962de554116d364 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Thu, 8 May 2025 11:40:02 +0530 Subject: [PATCH 04/11] Update docs/get-started/sumologic-limits.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- docs/get-started/sumologic-limits.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/get-started/sumologic-limits.md b/docs/get-started/sumologic-limits.md index d8c8e75957..776f82e0fa 100644 --- a/docs/get-started/sumologic-limits.md +++ b/docs/get-started/sumologic-limits.md @@ -86,7 +86,6 @@ This documents list all the maximum permissible limits for different Sumo Lpgic - Limited to 100MB of memory to return those results. - Subqueries are not supported in: - Auto-refresh dashboards. - - Real-time Scheduled Searches. - Field Extraction Rules. - Scheduled Views. From c9a954d48da9bd3cc6cdd2b59eb3777e62eac501 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Thu, 8 May 2025 11:43:25 +0530 Subject: [PATCH 05/11] Update docs/get-started/sumologic-limits.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- docs/get-started/sumologic-limits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/get-started/sumologic-limits.md b/docs/get-started/sumologic-limits.md index 776f82e0fa..ed52474e98 100644 --- a/docs/get-started/sumologic-limits.md +++ b/docs/get-started/sumologic-limits.md @@ -5,7 +5,7 @@ sidebar_label: Sumo Logic Limits description: Learn about the limitation of Sumo Logic objects. --- -This documents list all the maximum permissible limits for different Sumo Lpgic objects. +This page lists the maximum limits and quotas for various features, services, and components within Sumo Logic. ## Alerts and Monitors From 5f1f3981c66fca8e2a530dacd7d5a44e16d00c1f Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Thu, 8 May 2025 20:20:12 +0530 Subject: [PATCH 06/11] minor fixes --- docs/get-started/sumo-logic-limits.md | 30 +++++++++++++-------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md index 044b80e3bd..a2633a4371 100644 --- a/docs/get-started/sumo-logic-limits.md +++ b/docs/get-started/sumo-logic-limits.md @@ -5,41 +5,41 @@ sidebar_label: Limits and Quotas description: A comprehensive reference of quotas, limitations, and maximum values across Sumo Logic services. --- -This documents list all the maximum permissible limits for different Sumo Lpgic objects. +This page lists the baseline limits and quotas for various features, services, and components within Sumo Logic. ## Alerts and monitors -- **Maximum number of monitors (active and inactive)**. Up to 5,000 (can be increased by contacting support). -- **Email notifications**. Up to 100 recipients. +- **[Maximum number of monitors (active and inactive)](/docs/alerts/monitors/monitor-faq/#is-there-a-limit-to-the-number-of-monitors-i-can-have)**. Up to 5,000 (can be increased by contacting support). +- **[Email notifications](/docs/alerts/monitors/overview/#general)**. Up to 100 recipients. ### Log monitors -| Plan | Max Log Monitors | +| [Plan](/docs/alerts/monitors/overview/#log-monitors) | Max Log Monitors | |:-------------------------|:-----------------| | Enterprise, Trial | 1,000 | | Essentials, Professional | 300 | | Free Trial | 50 | -- **Query length**. Up to 15,000 characters. -- **Execution delay**. 2 minutes (to allow for ingestion lag). +- **[Query length](/docs/alerts/monitors/overview/#general)**. Up to 15,000 characters. +- **[Execution delay](/docs/alerts/monitors/overview/#general)**. 2 minutes (to allow for ingestion lag). ### Metric monitors -| Plan | Max Metric Monitors | +| [Plan]((/docs/alerts/monitors/overview/#metrics-monitors)) | Max Metric Monitors | |:-------------------------|:--------------------| | Enterprise, Trial | 1,500 | | Essentials, Professional | 500 | | Free Trial | 50 | -- **Aggregate monitor**. Can evaluate up to 15,000 time series. -- **Non-aggregate monitor**. Can evaluate up to 3,000 time series. -- **Execution delay**. 1 minute. -- **Query limit**. Up to 6 queries. +- **[Aggregate monitor](/docs/alerts/monitors/overview/#general)***. Can evaluate up to 15,000 time series. +- **[Non-aggregate monitor](/docs/alerts/monitors/overview/#general)**. Can evaluate up to 3,000 time series. +- **[Execution delay](/docs/alerts/monitors/overview/#metrics-monitors)**. 1 minute. +- **[Query limit](/docs/alerts/monitors/overview/#general)**. Up to 6 queries. ### Notification grouping -- **Log monitors**. Always group notifications. -- **Metric monitors**. Can group notifications, resolving when all time series return to normal. +- **[Log monitors](/docs/alerts/monitors/overview/#alerts)**. Always group notifications. +- **[Metric monitors](/docs/alerts/monitors/overview/#alerts)**. Can group notifications, resolving when all time series return to normal. ### Unsupported features in monitors @@ -67,8 +67,6 @@ This documents list all the maximum permissible limits for different Sumo Lpgic ## Collectors and Sources - - - Maximum number of collector per organization is 10,000. - A single installed collector can handle up to 15,000 events per second. - Log messages greater than 64KB are truncated. @@ -77,7 +75,7 @@ This documents list all the maximum permissible limits for different Sumo Lpgic - Multiline logs are limited to 2000 lines or 512KB. - Maximum of 100 processing rules per source. - The number of Cloud-to-Cloud Sources is limited to 20 for free accounts, and 50 for all other accounts. -- You are warned when you reach 80% of the limit (16 Sources for free accounts, and 40 Sources for other accounts). +- You are warned when you reach 80% of the Cloud-to-Cloud Sources limit (16 Sources for free accounts, and 40 Sources for other accounts). ## Log Search From 8f0f11e7c757a77a7da10a361362d142234ae5bf Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Thu, 8 May 2025 20:24:52 +0530 Subject: [PATCH 07/11] Update docs/get-started/sumo-logic-limits.md --- docs/get-started/sumo-logic-limits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md index a2633a4371..034b6af481 100644 --- a/docs/get-started/sumo-logic-limits.md +++ b/docs/get-started/sumo-logic-limits.md @@ -25,7 +25,7 @@ This page lists the baseline limits and quotas for various features, services, a ### Metric monitors -| [Plan]((/docs/alerts/monitors/overview/#metrics-monitors)) | Max Metric Monitors | +| [Plan](/docs/alerts/monitors/overview/#metrics-monitors) | Max Metric Monitors | |:-------------------------|:--------------------| | Enterprise, Trial | 1,500 | | Essentials, Professional | 500 | From b7cd24a710c5d90ca414b927994d9cbcb0836ee2 Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Thu, 8 May 2025 10:06:17 -0700 Subject: [PATCH 08/11] Update sidebars.ts --- sidebars.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidebars.ts b/sidebars.ts index 84440aa382..2b8990b9e3 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -3039,7 +3039,7 @@ integrations: [ 'security/threat-intelligence/threat-intelligence-indicators', 'security/threat-intelligence/upload-formats', ], - }, + }, ], api: [ { From 234f8d4106f0d9058ebdca99aa49aa3c7bcee6ef Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Thu, 8 May 2025 10:07:52 -0700 Subject: [PATCH 09/11] Update docs/get-started/sumo-logic-limits.md --- docs/get-started/sumo-logic-limits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md index 034b6af481..12d5d8a230 100644 --- a/docs/get-started/sumo-logic-limits.md +++ b/docs/get-started/sumo-logic-limits.md @@ -45,7 +45,7 @@ This page lists the baseline limits and quotas for various features, services, a - **[Receipt Time](/docs/search/get-started-with-search/build-search/use-receipt-time)**. Not supported. - **[LogReduce](/docs/search/behavior-insights/logreduce/logreduce-operator) and [LogCompare](/docs/search/behavior-insights/logcompare) operators**. Not supported. -- **[Frequent](/docs/manage/partitions/data-tiers) and [Infrequent](/docs/manage/partitions/data-tiers) data tiers**. Not supported. +- **[Frequent](/docs/manage/partitions/data-tiers) and [Infrequent](/docs/manage/partitions/data-tiers) data tiers**. Not supported. - **[Save to Index](/docs/alerts/scheduled-searches/save-to-index) and [Save to Lookup](/docs/alerts/scheduled-searches/save-to-lookup)**. Not supported. - **[Search templates](/docs/search/get-started-with-search/build-search/search-templates.md)**. Not supported. - **[`timeshift` metrics operator](/docs/metrics/metrics-operators/timeshift)**. Not supported in Metric Monitors. From c513c3dab42f10657189861439724400db93fd81 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Tue, 13 May 2025 10:08:09 +0530 Subject: [PATCH 10/11] Update docs/get-started/sumo-logic-limits.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- docs/get-started/sumo-logic-limits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md index 12d5d8a230..3dd6e84115 100644 --- a/docs/get-started/sumo-logic-limits.md +++ b/docs/get-started/sumo-logic-limits.md @@ -126,7 +126,7 @@ This page lists the baseline limits and quotas for various features, services, a ## Partitions - **Maximum partitions**. Up to 50 per account. -- **Optimal size**. Between 1%–30% of daily ingest. Ideally, with less than 5 TB data per day flowing into them. +- **Optimal size**. Between 1%–30% of daily ingest. Ideally, with less than 5 TB data per day flowing into each. - Below 1% can cause index fragmentation and degraded search performance. - Above 30% may reduce performance gains. - **Name restrictions**. Cannot start with `sumologic_` or an underscore (`_`). From f7b4cae9b3b07ebeb1f9225e683fdee6a09188b2 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Tue, 13 May 2025 10:08:20 +0530 Subject: [PATCH 11/11] Update docs/get-started/sumo-logic-limits.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- docs/get-started/sumo-logic-limits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/get-started/sumo-logic-limits.md b/docs/get-started/sumo-logic-limits.md index 3dd6e84115..57f3f78ea6 100644 --- a/docs/get-started/sumo-logic-limits.md +++ b/docs/get-started/sumo-logic-limits.md @@ -70,7 +70,7 @@ This page lists the baseline limits and quotas for various features, services, a - Maximum number of collector per organization is 10,000. - A single installed collector can handle up to 15,000 events per second. - Log messages greater than 64KB are truncated. -- A collector or sources can have up to 10 fields. +- A collector or source can have up to 10 fields. - A collector can have up to 1,000 sources. - Multiline logs are limited to 2000 lines or 512KB. - Maximum of 100 processing rules per source.