After installing a collector and configuring a source, your data should appear in Sumo Logic in a matter of minutes. How can you confirm that your data is being collected? Try any of the following options.
Check the Status page of the Sumo Logic Web Application
In Sumo Logic select Manage Data > Collection > Status to view the total message volume (the volume of all collectors in your account) and the volume of data from each collector.
As long as you see that some messages are present, your Sumo Logic account is up and running.
Try a search
When a Collector starts, it begins collecting the oldest logs available. Depending on how many historical logs you have, it could take a while before the Collector is caught up with the most recent data. First, check to see when the logs were created, then, when you search for the first time, make sure to use a timeframe that will include those logs.
For example, if your log data goes back three days, you could try the following search:
* or [ENTER] -3d
Verify that your Collectors are running
Collectors and Sources in your account are listed on the Collectors page. Collectors and Sources that are running (able to communicate with Sumo Logic and configured to send data) are marked with . Stopped Collectors and Sources are marked with . Stopped Collectors don't send any data.
If a Collector is stopped, you can verify the Collector's status and restart it if necessary.
To check a Collector's status:
- Log in to the Collector, go to the [install_dir]/ and run
- If the status is "stopped" you can restart the Collector by running
(Running a Collector on Windows? The Collector's status can be found by running services.msc from an Admin cmd.exe shell, or from the Control Panel. The service is listed under SumoLogic Collector; the startup type should be set to Automatic.)
Check timestamp settings
If your log files have missing or faulty time stamp data it can affect the log messages you'll see collected; search results are also affected if time stamp information is incorrect. For example, if a Collector is running on a computer that doesn't contain a UTC offset time (like UTC-0800), the time stamp could be off by several hours, so if you attempted to search logs within the past 15 minutes no search results will appear.
When you configure a Source, you can choose one of three timestamp options. First, make sure that your log data is using a supported timestamp and date format.
To view Source settings:
- Select Manage Data > Collection > Collection.
- Click Edit to the right of the Source's name.
- Under Advanced, choose one of the following:
- Extract timestamp information from log file entries. Select this option if you'd like Sumo Logic to always extract timestamps from log messages. If no timestamp is detected, Sumo Logic uses the time when the data is received. Generally this is the best option (it's also selected by default).
- Use time zone from log file. Choose a time zone that Sumo Logic can use if log files don't have a time stamp. If a Collector is running on a computer set to the UTC time zone without an offset, Sumo Logic will use this time zone.
- Ignore time zone from log file. Choose a time zone to override any time zone information found in log files. If you're collecting log files from disparate time zones, choose this option to set all your Sources to the same time zone.
For more information, see Timestamps, Time Zones, Time Ranges, and Date Formats.