I have been asked a few times why a content pack does not return any results. The actual symptoms of the problem often vary between:
- None of the widgets return any results
- One or more dashboards return no results while other dashboards do return results
- A particular widget does not return any results when results are expected
In this post, I would like to discuss how to troubleshoot the problem.
Where to get Content Packs
- As of Log Insight 2.5, VMware and VMware partner content packs are available within the product from the marketplace available under the content packs section.
- VMware and VMware partner content pack have always been available for free on VMware Solution Exchange.
- Community content packs can be found online and are often posted to the Log Insight Community.
How to Install a Content Pack
A content pack can be installed directly from the marketplace if running Log Insight 2.5 or by selecting the import button at the bottom left of the content pack page in Log Insight. For more information, see this post.
Troubleshooting
There are five things to check if you are experiencing widgets that return no results in a content pack.
1. Missing Prerequisites
In addition to installing the content pack in Log Insight, you need to forward events that the content pack requires in order to get results. It is important to note that some content packs require events to be forwarded a specific way. For example, some require the Log Insight agent with a specific configuration or the use of a script to collect specific events. In addition, the version number of the product for which you are analyzing is also important. Be sure to check the directions provided for the content pack.
Note: Directions were not available for content packs displayed within the in-product Log Insight marketplace until Log Insight 3.0. If you are not presented with directions upon installing a content pack you can find them on VMware Solution Exchange.
Directions for a content pack could be found in a few places in Solution Exchange:
- Tech Specs: Here you will find what version(s) of Log Insight and what version(s) of the product the content pack supports are required for the content pack to work.
- Resources: Some content pack provides directions in the form of a white paper or official document.
2. Misunderstanding
Some widgets return events only under specific conditions:
- If certain prerequisites are met
- Only if problems are being experienced
If you check the notes section of a widget, it should indicate if certain conditions need to be met. For example, in the vSphere content pack the “General – Problems” widgets will only display results when there is an actual problem within the environment:
3. Time Range Issue
By default, the time range on the dashboards page is the latest 5 minutes. It is possible that events are not generated that frequently and that you need to increase the time range to see results. Try switching to the latest 24 hours.
Note: The selected time range should be as short as possible for optimal performance. All time queries should be avoided.
4. Data In Issue
If you are not receiving events required for the content pack then you will always get no results. You can check that events are being received by running queries on the IA page that return sources/hosts/events that you expect. One common issue is that clients are configured to forward to LI via FQDN however the client cannot resolve the FQDN because of a DNS issue. Note the data in issue could be because of #1 above or could be because of some other issue like the DNS one described.
5. Query Issue
Find a dashboard widget that is not returning results and select the magnifying glass icon to run the query on the Interactive Analytics page. Check the query and determine why you do not have any events that match the conditions. It is possible that the content pack has a bug that needs to be fixed.
6. Actually No Results
Finally, it is possible that you just do not have any results for the queries. Now, it would be very rare that all widgets on all dashboards for a content pack return no results, but this is a possibility. If all widgets on all dashboards return no results then it is best to recheck numbers 1 through 5 above. Also note that even if you confirm numbers 1 and 4 it is possible that the devices are not generating any events that match queries within the content pack. In this case, you will need to generate some events by leveraging the capabilities of the product which should be sending events.
Summary
Content packs require data in a specific format to work properly. Content packs contain directions — either within Log Insight or from VMware Solution Exchange — which describe the steps and format in which data must be ingested. If you believe you have configured everything correctly and you are still not receiving results it may be because of the time range or because no results have actually been received for the defined widget. If you do experience an issue or have a question about a content pack, be sure to post it on the Log Insight Community.
© 2015, Steve Flanders. All rights reserved.