When creating sources with unknown timestamps and timezones, it is often helpful for troubleshooting to know the difference between the time the service received the message and the actual message time within the log file. The following simple query compares the message time to receipt time, which allows you to immediately see if your messages are coming in late, if Sumo Logic is not properly parsing the timezone from the logs, or if the default timezone is improperly set.
* | formatDate(fromMillis(_receipttime), "MM/dd/yyyy HH:mm:ss:SSS") as receipt
You can further expand this query to give you a count in minutes between the two times, sorted by Collector and Source, to quickly determine which sources may need a configuration update or further review. Only run the following query for the most recent 15 minute time range. Since this will query all log data you have submitted, it will take some time to complete.
* | formatDate(fromMillis(_receipttime), "MM/dd/yyyy HH:mm:ss:SSS") as receipt
| _receiptTime - _messageTime as delay
| delay / 60000 as delayInMinutes
| toInt(delayInMinutes) as delayInMinutes
| avg(delayInMinutes) as avgDelayInMinutes, min(delayInMinutes) as minDelayInMinutes, max(delayInMinutes) as maxDelayInMinutes by _collector, _source, _sourceName
Comments
1 comment
I really like this query, even better than the one I found that did a count of the logs with a time difference. What would be great is if there would be a way to also include the count of logs. Thanks.
Please sign in to leave a comment.