Skip to content

Estimate scan data #6085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JV0812 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Estimate scan data #6085

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0c610c7
Estimate scan data
JV0812 Dec 4, 2025
6809d72
index page formatting
JV0812 Dec 5, 2025
9e2ac0f
card updated as per the feedback
JV0812 Dec 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion blog-service/2024/12-31.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -905,7 +905,7 @@ We are excited to announce a new set of changes to enhance the readability withi

#### Estimate Scan Data - Flex

We're excited to include the **Estimate scan** details for a query with pay-per-search data, which allows you to get insights into the amount of data scanned to run the query. Also, to help mitigate the cost, you can view the scan estimates while you create/modify monitors and scheduled searches. [Learn more](/docs/manage/partitions/flex/estimate-scan-data/).
We're excited to include the **Estimate scan** details for a query with pay-per-search data, which allows you to get insights into the amount of data scanned to run the query. Also, to help mitigate the cost, you can view the scan estimates while you create/modify monitors and scheduled searches. [Learn more](/docs/manage/partitions/estimate-scan-data/).

### March 20, 2024 (Search)

Expand Down
9 changes: 5 additions & 4 deletions cid-redirects.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1635,7 +1635,7 @@
"/cid/1004": "/docs/manage/ingestion-volume/collection-status-page",
"/cid/1005": "/docs/send-data/collection",
"/cid/1006": "/docs/manage/users-roles/users",
"/cid/10130": "/docs/manage/partitions/flex/estimate-scan-data",
"/cid/10130": "/docs/manage/partitions/estimate-scan-data",
"/cid/10131": "/docs/integrations/sumo-apps/flex",
"/cid/1007": "/docs/search/get-started-with-search/search-basics/built-in-metadata",
"/cid/1008": "/docs/search/search-query-language/search-operators/concat",
Expand Down Expand Up @@ -4549,8 +4549,8 @@
"/docs/manage/partitions/data-tiers/data-tiers-faqs": "/docs/manage/partitions/data-tiers/faq",
"/docs/manage/partitions-data-tiers/searching-data-tiers": "/docs/manage/partitions/data-tiers/searching-data-tiers",
"/docs/manage/partitions/data-tier/searching-data-tiers": "/docs/manage/partitions/data-tiers/searching-data-tiers",
"/docs/manage/partitions-data-tiers/flex-pricing/estimate-and-actual-scan-data": "/docs/manage/partitions/flex/estimate-scan-data",
"/docs/manage/partitions/flex/estimate-and-actual-scan-data": "/docs/manage/partitions/flex/estimate-scan-data",
"/docs/manage/partitions-data-tiers/flex-pricing/estimate-and-actual-scan-data": "/docs/manage/partitions/estimate-scan-data",
"/docs/manage/partitions/flex/estimate-and-actual-scan-data": "/docs/manage/partitions/estimate-scan-data",
"/docs/manage/partitions/flex/flex-pricing-faqs": "/docs/manage/partitions/flex/faq",
"/docs/manage/partitions/flex/flex-pricing-faq": "/docs/manage/partitions/flex/faq",
"/docs/platform-services/automation-service/app-central/integrations/exana-open-dns": "/docs/platform-services/automation-service/app-central/integrations",
Expand Down Expand Up @@ -4598,5 +4598,6 @@
"/docs/get-started/training-certification-faq-new": "/docs/get-started/training-certification-faq",
"/docs/manage/scheduled-views/pausing-inactive-scheduled-views": "/docs/manage/scheduled-views/pause-disable-scheduled-views",
"/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps",
"/docs/search/mobot-multiturn-beta": "/docs/search/mobot"
"/docs/search/mobot-multiturn-beta": "/docs/search/mobot",
"/docs/manage/partitions/flex/estimate-scan-data" : "/docs/manage/partitions/estimate-scan-data"
}
2 changes: 1 addition & 1 deletion docs/alerts/monitors/create-monitor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ For example, if your monitor evaluates the last 1 hour, you can set a resolution
| `<time range - trigger>` | The duration of time to evaluate. Values range from 2 Minutes to 24 Hours (or 7 Days, by request only). |
| `<trigger - frequency>` | The frequency that the trigger is evaluated. |

After setting the frequency evaluation, you can preview your [estimated scan data](/docs/manage/partitions/flex/estimate-scan-data) by clicking the **Show Estimated Scan** icon, as seen below.
After setting the frequency evaluation, you can preview your [estimated scan data](/docs/manage/partitions/estimate-scan-data) by clicking the **Show Estimated Scan** icon, as seen below.

<img src={useBaseUrl('img/alerts/monitors/show-estimated-scan.png')} alt="Estimated Scan Data icon" style={{border: '1px solid gray'}} width="700"/>

Expand Down
2 changes: 1 addition & 1 deletion docs/alerts/monitors/settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ To reduce data usage and alert frequency, you can convert an existing outlier mo
Alternatively, you can do this from the **Scan Estimates** pop-up.<br/><img src={useBaseUrl('img/alerts/monitors/scan-estimates-anomaly.png')} alt="convert-to-anomaly from scan estimates" style={{border: '1px solid gray'}} width="600"/>

For more guidance on optimizing scan costs on Flex Pricing plans, see:
* [Scan estimates](/docs/manage/partitions/flex/estimate-scan-data)
* [Scan estimates](/docs/manage/partitions/estimate-scan-data)
* [Optimizing scan costs for monitors](/docs/alerts/monitors/monitor-faq/#how-can-i-optimize-scan-costs-for-monitors-when-using-flex-pricing)

## Monitor History
Expand Down
10 changes: 0 additions & 10 deletions docs/manage/partitions/data-tiers/searching-data-tiers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,16 +73,6 @@ In addition, because `_dataTier` is a reserved name in Sumo Logic, you can’t a
* To query all tiers, use `_dataTier=All`.
* When you run a query that will return data from the Infrequent Tier, the best practice is to review the scan estimate after writing the query and before before running it. See the following section for more information.

### Estimated and actual scan data for Infrequent queries

When you enter a query that will run against the Infrequent Tier (`_dataTier=Infrequent` or `_dataTier=All`), Sumo Logic estimates and displays the amount of data in the Infrequent Tier that will be scanned in order to return the search results. You can view this detail by clicking the meter icon <img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/meter-icon.png')} alt="meter-icon" width="25" />. A popup appears that displays the estimated scan data for the chargeable tiers.

The example below shows the estimate of how much Infrequent data will be scanned for a query that uses `_dataTier=All` in the scope.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/CrossTier-Query-Start-Estimated-Scan.png')} alt="CrossTier-Query-Start-Estimated-Scan" style={{border:'1px solid gray'}} width="800" />

When you click on the session ID under the histogram, a popup with more detailed information appears. Here you can see the Infrequent data scanned for a query in the scope.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/scan-details.png')} alt="scan-details" style={{border:'1px solid gray'}} width="500" />

If there is no pay-per-search data scanned, a warning message will be displayed in the **Scan Estimates** popup.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/no-scan-data.png')} alt="scan-details" style={{border:'1px solid gray'}} width="350" />

### Cross-tier searches and role search filters

This section describes the combined result of cross-tier searches and a role search filter.
Expand Down
67 changes: 67 additions & 0 deletions docs/manage/partitions/estimate-scan-data.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
id: estimate-scan-data
title: Estimate Scan Data
sidebar_label: Estimate Scan Data
description: Learn about the estimate scan data for Datatier and Flex pricing modals.
Copy link
Collaborator

@kimsauce kimsauce Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description: Learn about the estimate scan data for Datatier and Flex pricing modals.
description: Learn about the estimate scan data for Data tier and Flex pricing modals.

Copy link
Collaborator

@kimsauce kimsauce Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be models?

Suggested change
description: Learn about the estimate scan data for Datatier and Flex pricing modals.
description: Learn about the estimate scan data for Datatier and Flex pricing models.

---
import useBaseUrl from '@docusaurus/useBaseUrl';

When you enter a query against Data Tier or Flex pricing, Sumo Logic will estimate and display the amount of data scanned in these to return the search results. This detail is vital. With Infrequent tier and Flex pricing, you're *charged* for the amount of data that's scanned to complete the query.

You can view this detail by clicking the meter icon <img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/meter-icon.png')} alt="meter-icon" width="25" />. A popup appears that displays the estimated scan data for Continuous, Frequent, Infrequent, and Flex.

The example below shows the estimate of how much Continuous, Frequent, and Infrequent data will be scanned for a query that uses `_dataTier=All` in the scope.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/CrossTier-Query-Start-Estimated-Scan.png')} alt="CrossTier-Query-Start-Estimated-Scan" style={{border:'1px solid gray'}} width="800" />

The example below shows the estimate of how much Flex data will be scanned for a query in the scope.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/estimated-scanned-data-flex.png')} alt="estimated-scanned-data" style={{border:'1px solid gray'}} width="800" />

The **Indexes Scanned** dropdown in the Scan Estimates pop-up displays all indexes that were scanned for the entered log query, along with their corresponding estimate details.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/indexes-scanned.png')} alt="indexes-scanned" style={{border:'1px solid gray'}} width="300" />

When you click on the session ID under the histogram, a popup with more detailed information appears. Here you can see the data scanned for a query in the scope.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/scan-details.png')} alt="scan-details" style={{border:'1px solid gray'}} width="500" />

If there is no data in the selected tier or Flex, a warning message will be displayed in the **Scan Estimates** popup.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/no-scan-data.png')} alt="scan-details" style={{border:'1px solid gray'}} width="300" />

## Dashboard scan estimates

When you enter a query to [create a dashboard](/docs/dashboards/create-dashboard-new/) panel, Sumo Logic will estimate and display the amount of data scanned. You can view the scan detail by clicking the meter icon <img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/meter-icon.png')} alt="meter-icon" width="25" />. A popup appears that displays the estimated scan data:

- For Data Tier mode:.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/scan-estimates-datatier-dashboard-creation.png')} alt="scan-estimates-dashboard-creation" style={{border:'1px solid gray'}} width="800" />
- For Flex model:<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/scan-estimates-flex-dashboard-creation.png')} alt="scan-estimates-dashboard-creation" style={{border:'1px solid gray'}} width="800" />

The **Indexes Scanned** dropdown in the Scan Estimates pop-up displays all indexes that were scanned for the entered dashboard query, along with their corresponding estimate details.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/indexes-scanned.png')} alt="indexes-scanned" style={{border:'1px solid gray'}} width="300" />

## Monitors

When [creating or modifying a monitor](/docs/alerts/monitors/create-monitor/#step-1-set-trigger-conditions), you can view the Average scan, Daily scan, and Yearly scan data information based on the selected alert frequency by clicking the meter icon <img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/meter-icon.png')} alt="meter-icon" width="25" /> on top of the **Monitor** right side panel. <br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/monitors_1.png')} alt="monitors_1" style={{border:'1px solid gray'}} width="450" />

In addition, you can also see the Model training scan details for the anomaly detection method.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/monitors_2.png')} alt="monitors_2" style={{border:'1px solid gray'}} width="450" />

:::note
You can view the scan estimates data once you select the trigger type.
:::

The **Show Optimization Tips** button displays contextual suggestions for your monitor settings. When clicked, it highlights both the query and trigger sections, displaying relevant optimization tips below each section. These tips are tailored based on whether you're configuring a static or outlier trigger.<br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/show-optimized-tips.png')} alt="show-optimized-tips" style={{border:'1px solid gray'}} width="450" />

## Scheduled searches

When [creating or modifying a scheduled search](/docs/alerts/scheduled-searches/schedule-search/), you can view the Average scan, Daily scan, and Yearly scanned data information based on the selected run frequency by clicking the meter icon <img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/meter-icon.png')} alt="meter-icon" width="25" /> on top of the **Schedule this search** popup. <br/><img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/scan-schedules-search.png')} alt="scan-schedules-search" style={{border:'1px solid gray'}} width="450" />

:::note
Daily scan data will not be available if scheduled search runs only on selected days and not daily.
:::

## Scan estimates in SLO

To view the Daily scan and Yearly scan data information based on a log-based SLO:

1. Go to the **Monitoring** and click the **SLO** tab.
1. Hover over your SLO, click the three-dot kebab menu, and then click **Edit**.
1. Click the meter icon <img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/meter-icon.png')} alt="meter-icon" width="25" /> in the upper right corner.

- For **Request-based SLOs**, data is scanned once per minute and stored in SLO storage. Any late-arriving data is accounted for in a corrective fashion and appended to the SLO storage.
- For **Window-based SLOs**, data is scanned multiple times per minute. Due to technical reasons, late-arriving data cannot be accounted for, unlike request-based SLOs. Because of this, the SLO results are stored in SLO storage with some delay (typically 1 hour). To display up-to-date SLI values across our various SLO dashboards, we need to scan the last 1 hour of data multiple times.

<img src={useBaseUrl('/img/manage/partitions-data-tiers/flex-pricing/scan-estimates-slo.png')} alt="scan-estimates-slo" style={{border:'1px solid gray'}} width="600" />

## Best practices

- Use the `_index` field to reduce the scope of the query.
70 changes: 0 additions & 70 deletions docs/manage/partitions/flex/estimate-scan-data.md
View file
Open in desktop

This file was deleted.

Loading