Problem:
I'm running a query in Live Tail and I am seeing log messages coming in, however, when I search the same scope via the interactive search I am not getting any results.
Resolution:
Live Tail ignores any timestamps found in the logs and simply shows data as it is received into the Sumo Logic service, however, an interactive search is based on the timestamps parsed from the logs. If the date/time being parsed from the logs does not line up with the current time range supplied in your interactive query you may not see the expected results.
The easiest way to confirm if a time parsing problem may be the source of the issue is to select the "Use Receipt Time" option found under the time range selector. With this option selected your interactive query will return message results based on the time the messages were received into the Sumo Logic service instead of the parsed time from those messages. This will usually return results more in line with what is seen in the Live Tail session.
Once you can confirm the receipt time search is returning messages you can then review those messages for any timestamp parsing problems. The most common time parsing issue is in regards to the timezone applied to the timestamp. For example, if your log timestamps do not contain a timezone, or if the timezone is not in a format recognized by Sumo Logic, a default timezone will be applied to the date/time that was parsed. (Default is UTC) This default timezone can be overridden and set to match with the expected timezone of your log messages within the "Advanced" section of the Source configuration used to read and send these logs to Sumo Logic.
Additional Resources:
Comments
1 comment
We had created a custom logger that just logs pure JSON but we were failing to add a `timestamp` property and setting the value to a UTC timestamp value. After adding this we had no problems!
Please sign in to leave a comment.