Log Analytics Agent - Custom Table Issue

%3CLINGO-SUB%20id%3D%22lingo-sub-2784363%22%20slang%3D%22en-US%22%3ELog%20Analytics%20Agent%20-%20Custom%20Table%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2784363%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20a%20problem%20when%20trying%20to%20import%20logs%20(from%20a%20JSON%20file)%20into%20a%20custom%20table.%20Not%20all%20the%20logs%20present%20in%20the%20file%20are%20collected%20in%20the%20custom%20table.%3C%2FP%3E%3CP%3EIf%20the%20file%20contains%2024000%20logs%2C%20a%20query%20on%20the%20table%20report%20only%2014000%20logs.%3C%2FP%3E%3CP%3EI'm%20using%20a%20script%20to%20import%20the%20logs%20file%20on%20the%20(linux)%20folder%20where%20the%20Custom%20Table%20get%20the%20JSON%20logs.%3C%2FP%3E%3CP%3EIn%20this%20script%20first%20I%20create%20the%20file%20(using%20the%20touch%20command)%20with%20size%200%20bytes%2C%20then%20after%202%20minutes%20I%20export%26nbsp%3B%20(after%20decompressed)%20the%20entire%26nbsp%3B%20file%20to%20be%20processed%20on%20the%20destination%20folder.%20So%20the%20log%20analytics%20agent%20start%20transfer%20the%20logs%20insider%20the%20file%20on%20the%20custom%20table%2C%20but%20not%20all%20the%20logs%20are%20transferred.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20did%20I%20go%20wrong%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20log%20file%20(on%20the%20agent)%20to%20understand%20the%20reason%20of%20this%20behavior%3F%3C%2FP%3E%3CP%3ESome%20special%20configuration%20on%20the%20agent%20to%20get%20the%20JSON%20logs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESuggestion%20are%20really%20appreciated.%20I'm%20blocked.%20I%20have%20tested%20syslog%20mode%20too%2C%20but%20the%20logs%20are%20truncated%20in%20a%20wrong%20way.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ELG%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hi,

I have a problem when trying to import logs (from a JSON file) into a custom table. Not all the logs present in the file are collected in the custom table.

If the file contains 24000 logs, a query on the table report only 14000 logs.

I'm using a bash script to import the logs file on the (linux) folder where the Custom Table get the JSON logs.

In this script first, I create the file (using the touch command) with size 0 bytes, then after 2 minutes I export  (after decompressed) the entire  file to be processed on the destination folder. So the log analytics agent start transfer the logs insider the file on the custom table, but not all the logs are transferred.

 

Where did I go wrong?  

Is there a log file (on the agent) to understand the reason of this behavior?

Some special configuration on the agent to get the JSON logs and not discards some logs?

 

Suggestion are really appreciated. I'm blocked. I have tested syslog mode too, but the logs are truncated in a wrong way.

Thanks

LG

0 Replies