Is there a way to alert when a collector has not received data for a specific amount of time?

Comments

3 comments

  • Avatar
    Rahul Choudhary

    Hi Deirdre,

    You can use "Data not sent alert" to configure alerting for your collector that has not ingested anything for any specified timeframe as explained here:

    https://help.sumologic.com/Manage/Ingestion-and-Volume/Monitor-Ingestion-and-Receive-Alerts#Data_not_sent_alert

    Data not sent alert

    This hourly alert will notify you if any of your collectors have not sent data for the last 24 hours (-24h). and that you extend the time range if 24 hours is not long enough for your data to collect.

    NoteThis type of alert isn't suitable for ephemeral environments and can send false positives.

    Setup

    Prerequisite. All collectors must be sending data before you set this alert. This alert will trigger if any collectors do not send data in the specified time range. If you want to identify collectors that are not ingesting for a long time or have not ingested at all, you can use the Collector API attributes alive and LastSeenAlive.

    1. Enable the Data Volume Index.  See Enable and Manage the Data Volume Index for instructions.
    2. (Optional) Depending on how busy your collectors are, you can modify the following alert threshold:
      | where mins_since_last_logs >= 60
      For example, if your collectors ingest less often than 60 minutes, 4 hours may be more appropriate and you can change the line to 240 minutes:
      | where mins_since_last_logs >= 240


    Query
    _index=sumologic_volume sizeInBytes _sourceCategory="collector_volume"
    | parse regex "\"(?<collector>(?:[^\"]+)|(?:\"\"))\"\:\{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi
    | first(_messagetime) as MostRecent, sum(bytes) as TotalVolumeBytes by collector
    | formatDate(fromMillis(MostRecent),"yyyy/MM/dd HH:mm:ss") as MostRecentTime 
    | toMillis(now()) as currentTime
    | formatDate(fromMillis(currentTime),"yyyy/MM/dd HH:mm:ss") as SearchTime
    | (currentTime-MostRecent) / 1000 / 60 as mins_since_last_logs
    | where mins_since_last_logs >= 60
    | fields -mostrecent, currenttime 
    | format ("%s Has not collected data in the past 60 minutes", collector) as message

    Hope above provided information helps and cater your requirement.

    Thanks

    Rahul

     

    0
    Comment actions Permalink
  • Avatar
    Deirdre Rodgers

    Hello Rahul,

     

    Thanks for the reply. This is very helpful.

     

    As for a query itself can you give me some indication of which parts need to be replaced and by what values?

     

    for example the first part _index=sumologic_volume 

     

    is sumologic_volume mean to be substituted with the name of my own index?

     

    For example _index=DataPoller_Prod  ? or does it refer to an actually volume?

    0
    Comment actions Permalink
  • Avatar
    Rahul Choudhary

     

    Hi Deirdre,

    This is Sumo Logic internal data volume index and has to be used in the query mentioned in above link to get the required results.

    https://help.sumologic.com/Manage/Ingestion-and-Volume/Enable-and-Manage-the-Data-Volume-Index

     

    Thanks

    Rahul

     

    0
    Comment actions Permalink

Please sign in to leave a comment.