We have a recurring issue where we have a number of containers that may require a restart for one reason or another. The issue is that when we restart these containers, the collector picks up all of the old logs (that have already been shipped to Sumo) and ships them again which blows out our daily quota and creates numerous duplicate log entries. We have our collector configured with the "cutoffRelativeTime" set to "-1h" in hopes of preventing or at least reducing the volume hit, but Sumo support has told us that setting is only utilized upon source creation. Their suggestion was to use "cutoffTime", but that wouldn't work unless we were constantly reconfiguring the collector and pushing the timestamp forward. In the most extreme cases, we will re-ship weeks of logs. Are others experiencing this? How are you working around it/preventing it?
Please sign in to leave a comment.