Merge log data from 2 different sources

%3CLINGO-SUB%20id%3D%22lingo-sub-167584%22%20slang%3D%22en-US%22%3EMerge%20log%20data%20from%202%20different%20sources%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167584%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20%22real%20time%22'ish%20logger%20based%20on%20service%20bus%20%2B%20web%20job%20which%20posts%20to%26nbsp%3Blog%20analytics%26nbsp%3Bon%20every%20message.%26nbsp%3B%20At%20the%20same%20time%2C%20we%20also%20log%20the%20messages%20to%20disk.%26nbsp%3B%20I%20want%20to%20change%20this%20to%20batch%20messages%20and%20send%20more%20at%20a%20time%20to%20reduce%20the%20http%20calls.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20I%20am%20concerned%20about%20message%20loss%20in%20the%20scenario%20where%20the%20post%20to%20Log%20analytics%20fails.%26nbsp%3B%20Is%20there%20am%20automatic%20way%20to%20have%20a%20process%20merge%20the%20rolling%20log%20files%20from%20disk%20with%20what%20is%20already%20in%20log%20analytics%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-167584%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167685%22%20slang%3D%22en-US%22%3ERe%3A%20Merge%20log%20data%20from%202%20different%20sources%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167685%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20SQL%20world%2C%20if%20I'm%20understanding%20your%20question%20correctly%2C%20the%20equivalent%20would%20be%20an%20upsert.%20Unfortunately%2C%20LA%20does%20not%20today%20support%20this.%20However%2C%20because%20of%20the%20performance%20of%20the%20engine%2C%20we%20recommend%20in%20scenarios%20like%20yours%20that%20you%20index%20your%20data%2C%20and%20then%20select%20only%20the%20latest%20version%20when%20querying%20your%20data%20to%20dedup%20it.%20The%20other%20option%20of%20course%20is%20to%20handle%20it%20client%20side%20via%20robust%20retry%20logic%2C%20though%20this%20is%20more%20involved.%20Lastly%2C%20and%20this%20is%20not%20an%20option%20I've%20tried%20myself%2C%20but%20there%20exists%20a%20community-developed%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fagup006%2Flogstash-output-OMS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ELogStash%20adapter%3C%2FA%3E%26nbsp%3Bfor%20an%20OMS%20sink%2C%20LogStash%20potentially%20having%20some%20built%20in%20logic%20for%20dealing%20with%20rotating%20logs%20that%20you%20might%20find%20useful.%20Sorry%20for%20not%20having%20a%20cleaner%20answer%20for%20you%2C%20but%20hopefully%20one%20of%20these%20will%20work!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I have a "real time"'ish logger based on service bus + web job which posts to log analytics on every message.  At the same time, we also log the messages to disk.  I want to change this to batch messages and send more at a time to reduce the http calls. 

 

However, I am concerned about message loss in the scenario where the post to Log analytics fails.  Is there am automatic way to have a process merge the rolling log files from disk with what is already in log analytics?

1 Reply

In the SQL world, if I'm understanding your question correctly, the equivalent would be an upsert. Unfortunately, LA does not today support this. However, because of the performance of the engine, we recommend in scenarios like yours that you index your data, and then select only the latest version when querying your data to dedup it. The other option of course is to handle it client side via robust retry logic, though this is more involved. Lastly, and this is not an option I've tried myself, but there exists a community-developed LogStash adapter for an OMS sink, LogStash potentially having some built in logic for dealing with rotating logs that you might find useful. Sorry for not having a cleaner answer for you, but hopefully one of these will work!