Log file time stamp is incorrect for specific logs for the same collector

Comments

3 comments

  • Avatar
    Kevin Keech

    The 'Time" value is the time Sumo Logic parsed from the raw log message at ingest time. based on your current Source configurations settings. Your screenshot does not show the raw message content so it's hard to tell if what you are seeing is expected or not. You will want to look at the raw message and see if this timestamp appears somewhere within the message. 

    The following help documentation has more information on how times are parsed from your log messages. 

    Timestamps, Time Zones, Time Ranges, and Date Formats

  • Avatar
    Murthy Chitturi

    Raw message looks like as below:

    It's json array format.  There is no timestamp that comes with the raw data. As show in the picture , Receipt time is the date that log will actually generate. We generate the log file name based/source base on the date.

     

     Another interesting thing- there are bunch of other logs that are generated at the same time are coming with same timestamp and recived time. only a few of them are showing like really old time. All of these logs are from same colletor under one datasource. Both DATASOURCE and Collector timezones  are defaults to EST

    ```

     
    [
      {
        "Monitoring": {
          "State": "disabled"
        }, 
        "PublicDnsName": "", 
        "State": {
          "Code": 16, 
          "Name": "running"
        }, 
        "EbsOptimized": false, 
        "LaunchTime": "2019-02-26T14:32:55+00:00", 
        "PrivateIpAddress": "10.63.11.155", 
        "ProductCodes": [], 
        "VpcId": "vpc-rytuyi13eaa", 
        "CpuOptions": {
          "CoreCount": 1, 
          "ThreadsPerCore": 1
        }, 
        "StateTransitionReason": "", 
        "InstanceId": "i-XXXXX", 
        "EnaSupport": true, 
        "ImageId": "ami-04bfee437f38a691e", 
        "PrivateDnsName": "ip-EETTTRnal", 
        "KeyName": "foundations-nonprod", 
        "SecurityGroups": [
          {
            "GroupName": "default", 
            "GroupId": "sg-0576ugh790"
          }
        ], 
        "ClientToken": "", 
        "SubnetId": "subnet-0657ghj1e0d", 
        "InstanceType": "t2.micro", 
        "CapacityReservationSpecification": {
          "CapacityReservationPreference": "open"
        }, 
        "NetworkInterfaces": [
          {
            "Status": "in-use", 
            "MacAddress": "0e:12:b2:80:4a:b2", 
            "SourceDestCheck": true, 
            "VpcId": "vpc-0b1ggyui3eaa", 
            "Description": "Primary network interface", 
            "NetworkInterfaceId": "eni-07ccvhgjh89c", 
            "PrivateIpAddresses": [
              {
                "Primary": true, 
                "PrivateIpAddress": "10.63.11.155"
              }
            ], 
            "SubnetId": "subnet-067568yug1e0d", 
            "Attachment": {
              "Status": "attached", 
              "DeviceIndex": 0, 
              "DeleteOnTermination": true, 
              "AttachmentId": "eni-attach-`
    ```
  • Avatar
    Kevin Keech

    So the issue is your Source is probably configured to parse out a timestamp from these messages. (this is the default) What is happening is Sumo Logic is parsing the timestamp found in your "LaunchTime" field in the message as the message time.

    If there is no message timestamp in your messages, what you may want to do is turn off the detection of timestamps from your messages so the "Time" field will always be the same as the time Sumo Logic received the message. This is set on the Source you have configured to read these logs. 

     

Please sign in to leave a comment.