Documentationbreadcrumb arrow Pluginsbreadcrumb arrow Sumo Logicbreadcrumb arrow Annotations
Grafana Cloud Enterprise
Last reviewed: March 17, 2026

Sumo Logic annotations

Annotations overlay event markers on time-series panels, helping you correlate changes or incidents with metric behavior. You can use any Sumo Logic query as an annotation source – each result becomes a marker on the panel at its corresponding timestamp.

For general information about annotations in Grafana, refer to Annotate visualizations.

Before you begin

Create an annotation query

The annotation query editor is the same as the standard Sumo Logic query editor, so you can use either Metrics or Logs queries. Logs queries are the most common choice for annotations because log events naturally represent discrete points in time.

To add a Sumo Logic annotation query to a dashboard:

  1. Open a dashboard and click Dashboard settings (gear icon).
  2. Select Annotations in the left-side menu.
  3. Click Add annotation query.
  4. Enter a name for the annotation.
  5. Select the Sumo Logic data source.
  6. Choose the query type (Metrics or Logs) and enter a query that returns the events you want to annotate.
  7. Configure the field mappings to control which fields are used for the annotation text, tags, and time.
  8. Set the annotation color and other display options as needed.
  9. Click Save dashboard.

Annotation queries run against the dashboard time range and display matching results as vertical lines on time-series panels.

Annotation query examples

The following examples use logs queries, which are the most common annotation use case.

Mark deployment events:

SQL 
_sourceCategory=prod/deployments

Annotate error spikes from a specific service:

SQL 
_sourceCategory=prod/app "ERROR" | count by _messageTime

Mark configuration changes from audit logs:

SQL 
_sourceCategory=audit/config action=update

Annotate scaling events:

SQL 
_sourceCategory=infrastructure "autoscaling" ("ScaleUp" OR "ScaleDown")

Mark alert state changes from Sumo Logic monitors:

SQL 
_sourceCategory=alerts eventName="AlertSystemInfo" | parse "currentState\":\"*\"" as state | where state != "Normal"

Annotate user login failures for security monitoring:

SQL 
_sourceCategory=auth action=login status=failure | count by _sourceHost