SumoLogic · Apoorvkudesia-sumologic · Apr 27, 2026 · Apr 27, 2026 · May 18, 2026 · May 19, 2026
@@ -1,6 +1,7 @@
 ---
 id: api-gateway
 title: AWS API Gateway
+sidebar_label: AWS API Gateway
 description: Amazon API Gateway service allows you to create RESTful APIs, HTTP APIs, and WebSocket APIs for real-time two-way communication applications in containerized and serverless environments, as well as web applications.
 ---
 
@@ -161,86 +162,17 @@ account=dev region=us-east-1 namespace=aws/apigateway apiname=* apiid stage doma
 
 ## Collecting logs and metrics for AWS API Gateway
 
-### Fields in field schema
+### Field Extraction Rule(s)
 
-1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. 
-1. Search for the below fields:
-    * `apiname`
-    * `account`
-    * `namespace`
-    * `region`
-    * `accountid`
-1. If not present, create it. To learn how to create and manage fields, see [Fields](/docs/manage/fields.md#manage-fields).
+The FER **AwsObservabilityApiGatewayCloudTrailLogsFER** to extract fields `region`, `namespace`, `apiname`, and `accountid` from CloudTrail logs will be created as a part of app installation.
 
-### Field extraction rules
+The FER **AwsObservabilityApiGatewayAccessLogsFER** to extract fields `apiname`, `namespace`, and `apiid` from access logs will be created as a part of app installation.
 
-To learn how to create field extraction rules, [Create a Field Extraction Rules](/docs/manage/field-extractions/create-field-extraction-rule).
+The FER **AwsObservabilityApiGatewayCloudWatchLogsFER** to extract fields `namespace`, `apiid`, and `apiname` from CloudWatch logs will be created as a part of app installation.
 
-Create a field extraction rule for cloudTrail logs:
+### Metric Rule(s)
 
-```sumo
-Rule Name: AwsObservabilityApiGatewayCloudTrailLogsFER
-Applied at: Ingest Time
-Scope (Specific Data):
-account=* eventname eventsource "apigateway.amazonaws.com"
-Parse Expression:
-| json "eventSource", "awsRegion", "responseElements", "recipientAccountId" as eventSource, region, responseElements, accountid nodrop
-| where eventSource = "apigateway.amazonaws.com"
-| "aws/apigateway" as namespace
-| json field=responseElements "name" as ApiName nodrop
-| tolowercase(ApiName) as apiname
-| fields region, namespace, apiname, accountid
-```
-
-Create a field extraction rule for access logs:
-
-```sumo
-Rule Name: AwsObservabilityApiGatewayAccessLogsFER
-Applied at: Ingest Time
-Scope (Specific Data):
-account=* region=* apiId domainName stage requestId status
-Parse Expression:
-json "apiId", "domainName", "stage" as apiId, domainName, stage
-| "aws/apigateway" as namespace
-| apiId as apiName
-| fields apiName, namespace, apiId
-```
-
-Create/Update field extraction rule(s) for cloudwatch logs:
-
-```sumo
-Rule Name: AwsObservabilityGenericCloudWatchLogsFER
-Applied at: Ingest Time
-Scope (Specific Data):
-account=* region=* (_sourceHost=/aws/* or _sourceHost=API*Gateway*Execution*Logs*)
-Parse Expression:
-if (isEmpty(namespace),"unknown",namespace) as namespace
-| if (_sourceHost matches "/aws/lambda/*", "aws/lambda", namespace) as namespace
-| if (_sourceHost matches "/aws/rds/*", "aws/rds", namespace) as namespace
-| if (_sourceHost matches "/aws/ecs/containerinsights/*", "aws/ecs", namespace) as namespace
-| if (_sourceHost matches "/aws/kinesisfirehose/*", "aws/firehose", namespace) as namespace
-| if (_sourceHost matches "/aws/apigateway/*", "aws/apigateway", namespace) as namespace
-| if (_sourceHost matches "API-Gateway-Execution-Logs*", "aws/apigateway", namespace) as namespace
-| parse field=_sourceHost "/aws/lambda/*" as functionname nodrop | tolowercase(functionname) as functionname
-| parse field=_sourceHost "/aws/rds/*/*/" as f1, dbidentifier nodrop
-| parse field=_sourceHost "/aws/apigateway/*/*" as apiid, stage nodrop
-| parse field=_sourceHost "API-Gateway-Execution-Logs_*/*" as apiid, stage nodrop
-| apiid as apiName
-| tolowercase(dbidentifier) as dbidentifier
-| fields namespace, functionname, dbidentifier, apiid, apiName
-```
-
-### Metrics rules
-
-Create the following metrics rule for the AWS API Gateway app, if not already created. To learn how to create a metrics rule, see [Metrics Rules Editor](/docs/metrics/metric-rules-editor#create-a-metrics-rule).
-
-```sql
-Rule name: AwsObservabilityApiGatewayApiNameMetricsEntityRule
-Metric match expression: Namespace=AWS/ApiGateway apiid=*
-Variable name: apiname
-Tag sequence: $apiid._1
-Save it
-```
+The Metric Rule **AwsObservabilityApiGatewayApiNameMetricsEntityRule** for the AWS/ApiGateway namespace will be created as a part of app installation.
 
 ### Configure Hosted Collector
 
@@ -565,10 +497,19 @@ Enter a parse expression to create an `account` field that maps to the alias you
 
 Now that you have set up a collection for the **AWS API gateway**, install the Sumo Logic app to use the pre-configured dashboards that provide visibility into your environment for real-time analysis of overall usage.
 
-import AppInstall from '../../reuse/apps/app-install.md';
+import AppInstall from '../../reuse/apps/app-install-v2.md';
 
 <AppInstall/>
 
+As part of the app installation process, the following fields will be created by default:
+
+- `account` Name / alias to the AWS account.
+- `accountid` AWS account id.
+- `region` The region to which the resource name belongs to.
+- `namespace` Namespace for AWS API Gateway Service is AWS/ApiGateway.
+- `apiname` API Gateway API name.
+- `apiid` API Gateway API id.
+
 ## Viewing AWS API Gateway dashboards
 
 import FilterDashboards from '../../reuse/filter-dashboards.md';
@@ -715,3 +656,35 @@ Use these dashboards to:
 #### AWS API Gateway - Enhanced Monitoring (WebSocket API)
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/AWS-API-Gateway/7.-AWS-API-Gateway-Enhanced-Monitoring-WebSocket-API.png' alt="Enhanced Monitoring (WebSocket API)" />
+
+## Create monitors for AWS API Gateway app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### AWS API Gateway alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:-----|:------------|:----------------|:--|
+| `AWS API Gateway - High Server-Side Errors` | This alert fires where there are too many API requests (>5%) with server-side errors within 5 minutes. | Count > = 0.05 | Count < 0.05 |
+| `AWS API Gateway - High Client-Side Errors` | This alert fires where there are too many API requests (>5%) with client-side errors within 5 minutes. | Count > = 0.05 | Count < 0.05 |
+| `AWS API Gateway - High Integration Latency` | This alert fires when we detect the high integration latency for the API requests in a stage within 5 minutes. | Count > = 2000 | Count < 2000 |
+| `AWS API Gateway - High Latency` | This alert fires when we detect the high latency in a stage within 5 minutes for REST and HTTP API. | Count > = 2500 | Count < 2500 |
+| `AWS API Gateway - Low Traffic API` | This alert fires when there is low message traffic volume for the API within 5 minutes. | Count < = 1 | Count > 1 |
+| `AWS API Gateway - High Authorizer Errors` | This alert fires when there are too many API requests (>5%) with authorizer errors within 5 minutes. | Count > 5 | Count < = 5 |
+| `AWS API Gateway - High Integration Errors` | This alert fires when there are too many API requests (>5%) with integration errors within 5 minutes. | Count > 5 | Count < = 5 |
+| `AWS API Gateway - High WAF Errors` | This alert fires when there are too many API requests (>5%) with WAF errors within 5 minutes. | Count > 5 | Count < = 5 |
+| `AWS API Gateway - High WAF Latency` | This alert fires when we detect the high WAF latency for the REST and WebSocket API requests in a stage within 5 minutes. | Count > 1000 | Count < = 1000 |
+
+## Upgrade/Downgrade the AWS API Gateway app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the AWS API Gateway app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>
@@ -1,6 +1,7 @@
 ---
 id: application-load-balancer
 title: AWS Application Load Balancer
+sidebar_label: AWS Application Load Balancer
 description: The Sumo Logic app for AWS Elastic Load Balancing ULM - Application is a unified logs and metrics (ULM) app that gives you visibility into the health of your Application Load Balancer and target groups.
 ---
 
@@ -109,60 +110,32 @@ Before you begin to use the AWS Elastic Load Balancing (ELB) Application app, co
 Namespace for AWS Application Load Balancer Service is AWS/ApplicationELB.
 :::
 
-## Field in field schema
-
-1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. 
-1. Search for the `loadbalancer` field.
-1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields.md#manage-fields).
-
 ## Field Extraction Rule(s)
 
-Create Field Extraction Rule (FER) for AWS Application Load Balancer access logs and Cloudtrail logs. Learn how to create a Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule).
-
-**AWS Application Load Balancer access logs**
-
-```sql
-Rule Name: AwsObservabilityAlbAccessLogsFER
-Applied at: Ingest Time
-Scope (Specific Data): account=* region=* (http or https or h2 or grpcs or ws or wss)
-```
-
-```sumo title="Parse Expression"
-parse "* * * * * * * * * * * * \"*\" \"*\" * * * \"*\"" as Type, DateTime, loadbalancer, Client, Target, RequestProcessingTime, TargetProcessingTime, ResponseProcessingTime, ElbStatusCode, TargetStatusCode, ReceivedBytes, SentBytes, Request, UserAgent, SslCipher, SslProtocol, TargetGroupArn, TraceId | tolowercase(loadbalancer) as loadbalancer | fields loadbalancer
-```
+The FER **AwsObservabilityAlbAccessLogFER** to extract the `loadbalancer` field from access logs will be created as a part of app installation.
 
-**AWS Application Load Balancer CloudTrail logs**
-
-```sql
-Rule Name: AwsObservabilityALBCloudTrailLogsFER
-Applied at: Ingest Time
-Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.amazonaws.com" "2015-12-01"
-```
-
-```sumo title="Parse Expression"
-json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop
-| where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" 
-| "" as namespace 
-| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, loadbalancer1, f1 nodrop
-| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, loadbalancer2, f1, f2 nodrop
-| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace 
-| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace
-| where namespace="aws/applicationelb" or isEmpty(namespace) 
-| if (!isEmpty(loadbalancer), loadbalancer, if (!isEmpty(loadbalancer1), loadbalancer1, loadbalancer2)) as loadbalancer
-| toLowerCase(loadbalancer) as loadbalancer 
-| fields region, namespace, loadbalancer, accountid
-```
+The FER **AwsObservabilityALBCloudTrailLogFER** to extract fields `region`, `namespace`, `loadbalancer`, and `accountid` from CloudTrail logs will be created as a part of app installation.
 
 ## Installing the AWS Application Load Balancer app
 
 Now that you have set up collection for AWS Application Load Balancer, install the Sumo Logic App to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage.
 
-import AppInstallNoDataSourceV2 from '../../reuse/apps/app-install-index-apps-v2.md';
+import AppInstall from '../../reuse/apps/app-install-index-apps-v2.md';
+
+<AppInstall/>
+
+As part of the app installation process, the following fields will be created by default:
 
-<AppInstallNoDataSourceV2/>
+- `account` Name / alias to the AWS account.
+- `accountid` AWS account id.
+- `region` The region to which the resource name belongs to.
+- `namespace` Namespace for AWS Application Load Balancer Service is AWS/ApplicationELB.
+- `loadbalancer` Application Load Balancer name.
 
 ## Viewing AWS Application Load Balancer dashboards
 
+We highly recommend you view these dashboards in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability) of the AWS Observability solution.
+
 ### Overview
 
 The **AWS Application Load Balancer - Overview** dashboard provides visibility into the health of your Application Load Balancer and target groups, with at-a-glance views of latency, request and host status, requests from malicious sources, and HTTP backend codes.
@@ -255,3 +228,33 @@ Use this dashboard to:
 * Identify the most common error types and the users experiencing the highest failure rates, facilitating targeted improvements and user support.
 
 <img src={useBaseUrl('img/integrations/amazon-aws/AWS-Application-Load-Balancer-CloudTrail-Audit.png')} alt="AWS Application Load Balancer dashboard" style={{border: '1px solid gray'}} width="800"/>
+
+## Create monitors for AWS Application Load Balancer app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### AWS Application Load Balancer alerts
+
+| Name                                                                  | Description                                                                                                                                                          | Alert Condition   | Recover Condition |
+|:----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------|:--|
+| `AWS Application Load Balancer - Access from Highly Malicious Sources` | This alert fires when an application load balancer is accessed from highly malicious IP addresses within last 5 minutes.                                             | Count > 0         | Count < = 0       |
+| `AWS Application Load Balancer - Deletion Alert`                       | This alert fires when an application load balancer is deleted within last 5 minutes.                                                                                 | Count > = 2       | Count < 2         |
+| `AWS Application Load Balancer - High 4XX Errors`                      | This alert fires when there are too many HTTP requests (>5%) with a response status of 4xx within an interval of 5 minutes.                                         | Count > = 5       | Count < 5         |
+| `AWS Application Load Balancer - High 5XX Errors`                      | This alert fires when there are too many HTTP requests (>5%) with a response status of 5xx within an interval of 5 minutes.                                         | Count > = 5       | Count < 5         |
+| `AWS Application Load Balancer - High Latency`                         | This alert fires when we detect that the average latency for a given application load balancer within a time interval of 5 minutes is greater than or equal to three seconds. | Count > = 3000    | Count < 3000      |
+| `AWS Application Load Balancer - Targets Deregistered`                 | This alert fires when targets are deregistered from an application load balancer within last 5 minutes.                                                              | Count > = 1       | Count < 1         |
+| `AWS Application Load Balancer - High Unhealthy Host Count`            | This alert fires when we detect that the number of unhealthy hosts for a given Application load balancer within a time interval of 5 minutes is greater than or equal to one. | Count > = 1       | Count < 1         |
+
+## Upgrade/Downgrade the AWS Application Load Balancer app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the AWS Application Load Balancer app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>