A small Go CLI for querying Sumo Logic logs.
go install code.selman.me/sumocli@latest
Credentials resolve in this order, first non-empty wins:
- flags (
--access-id,--access-key,--endpoint) - env (
SUMO_ACCESS_ID,SUMO_ACCESS_KEY,SUMO_ENDPOINT) ~/.config/sumocli/config.toml(or$XDG_CONFIG_HOME/sumocli/config.toml)
# ~/.config/sumocli/config.toml
access-id = "suxxxxxxxx"
access-key = "yyyyyyyyyyyyyyyy"
endpoint = "https://api.eu.sumologic.com/api"Endpoints per deployment: Sumo Logic endpoints by deployment and firewall security | Sumo Logic Docs
# raw logs, ndjson on stdout
sumocli query '_sourceCategory=prod/api error' --from=-1h --limit=500
# aggregation, mode=auto picks records when recordCount > 0
sumocli query '_sourceCategory=prod/api | count by _sourceHost' --from=-15m
# force a mode
sumocli query 'error' --mode=messages --limit=100
# TSV with header
sumocli query '... | count by _sourceHost' -o tsv
# pipe into jq
sumocli query 'error' --from=-5m | jq -r '._raw'
| Flag | Default | Notes |
|---|---|---|
--from |
-15m |
now, relative (-15m, -1h30m, -7d, -1w), or RFC3339 |
--to |
now |
same formats |
--limit |
1000 |
0 = no limit (API cap is 100k) |
--mode |
auto |
auto | messages | records |
--output / -o |
ndjson |
ndjson | tsv |
--poll-interval |
1s |
initial poll interval; backs off to 5s |
--by-receipt-time |
false |
search by receipt time instead of message time |
--no-header |
false |
omit TSV header row |