A common question I get asked is, “Why do I see a gap in data on Log Insight charts?” I would like to answer this question!
A gap in data on Log Insight charts may be seen in two slightly different ways.
Gap between data
The first is that you see some results, then a gap in data, then some more results. This pattern may repeat more then once as well. An example of what such a chart would look like is:
In this scenario, the gap in data is caused because the server did not receive events from any clients during the time of the gap.
Gap before data
The second is that you see some results before a gap, but no data after the gap. An example of what such a chart would look like is:
In this scenario, the gap in data indicates that the server has not received any events from any clients since the last result.
Causes
Client events may not have been received for a variety of reasons, including:
- The client did not send any events during that time
- The client or client syslog agent may have been restarted
- Some clients do not send events every second and depending on the Log Insight query this may result in a gap of data being sent
- The client configuration may have been changed resulting in no events being sent or events being sent to a different destination
- Network connectivity issues
- The client may have been unable to contact the server due to a network issue
- A firewall change may have prevented events from reaching the server
- The server could not ingest the client event
- The server may be overloaded and forced to drop events (a system notification is sent when this occurs)
- The server may have been restarted
- The server archive location may be full (a system notification is sent before and after this occurs)
In both scenarios, the reason for the gap should be investigated. In the gap before data scenario, the investigation should take place ASAP to ensure that critical events are not being missed.
© 2014 – 2021, Steve Flanders. All rights reserved.
