If search queries are not returning logs in your search results, the first troubleshooting step is to check for timestamp issues. Next, check for missing time zone info in your log messages.
Timestamp issues
Check the following areas to troubleshoot timestamp issues.
The clock on a system running a Collector may be running fast.
Because messages are timestamped using a computer's clock, search results are affected if that computer's clock is running fast. For example, if an Apache system is set to 5 minutes in the future and you run a search with a time range of 15 minutes, when the query starts, the time range is calculated as -15m to now. (This is your browser's current time.) Because the Apache logs are marked as 5m in the future, they won't be included as part of the search results, because the search uses the actual message time.
It's a good idea to check the Manage > Status tab of the Sumo Logic Web Application. Data displayed on the Status tab is based on the time that messages are received by Sumo Logic and not by the time parsed from the logs.
Another test is to search for data with the Use Receipt Time checkbox enabled. This allows a search based on the time log data is ingested into Sumo Logic (also captured in the metadata of receipt time) rather than on the message time that Sumo Logic interprets from the log data message. This search shows the receipt time and message time in adjacent columns.
Log timestamp parsing issues.
The clock on the computer used to access Sumo Logic is running slow.
If the clock on your local computer is set slow (in the past), this will also affect search results. A good way to avoid this is to use Network Time Protocol (NTP) on all systems.
Time zone issues
Another common reason logs don't show up in searches is caused by time zone information missing from your logs. If Sumo Logic can not ascertain a timezone, and no default timezone is configured at the Collector or Souce level, UTC Time is assumed. A mismatch in timezone may lead to your data appearing within a different timerange than expected.
To check for a mismatch in Timezone the first step to troubleshoot is to run your query with the "Use Receipt Time" option selected. This option will show you the time Sumo Logic received the message and the time Sumo Logic parsed from the logs. Comparing these values to the actual timestamp found in the raw messages can usually help identify a timezone related issue. Note the times displayed by the search will be relative to your browser default timezone or the timezone set within your user preferences.
Comments
0 comments
Article is closed for comments.