Deduplicated error/warning digest for a scope
sumo_error_digestTriage incidents by scanning Sumo Logic logs for ERROR/WARNING messages, grouping them by normalized signature, and returning the top-N distinct problems with occurrence counts and sample request IDs.
Instructions
One-call triage: finds ERROR/WARNING (configurable via levels) messages in scope, groups them by normalized signature (timestamps/UUIDs/hex/numbers stripped), and returns the top-N distinct problems with count, first/last occurrence, a sample request_id for cross-referencing, and the _sourcecategory. Level filter uses log.levelname parsed from _raw (reliable), never _loglevel. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| to | No | End time: ISO-8601 or epoch ms. Requires `from`. | |
| from | No | Start time: ISO-8601 or epoch ms. Requires `to`. | |
| last | No | Relative window ending now, e.g. "15m", "2h", "1d". Mutually exclusive with from/to. | |
| limit | No | Top-N signatures to return (default 20). | |
| query | No | Base scope query (default: _sourcecategory=<SUMO_DEFAULT_SOURCE_CATEGORY — not set>). Scope by _sourcecategory, NOT by a hostname keyword — errors/exceptions carry no hostname and would be silently excluded. The level filter is appended automatically — do not add | operators. | |
| levels | No | Levels to include (default ["ERROR","WARNING"]). | |
| maxScan | No | Max messages to scan for grouping (default 5000, cap 100,000). Counts cover the scanned prefix when truncated. | |
| timeZone | No | IANA timezone for query-time parsing (default UTC). | |
| byReceiptTime | No | Search by receipt time; recommended true for very recent windows (ingestion lag). |