Depending on the time range of a dashboard data panel, it can take time for a panel to display the complete results. When you click the toggle to go into Live Mode, the panels start displaying live data going forward, while also backfilling with data for the specified time period. When the dashboard is completely backfilled, the percentage indicator changes to a green dot.
Sumo Logic applies UTC as the time zone if the time zones in your messages if:
- Time zones are not parsed automatically.
- A time zone is missing in your messages.
- A time zone value is missing.
- The source is not configured with a default time zone.
This results in "parsed time" showing as either hours in the future or hours behind the actual message time in the logs. This affects how panels interpret these messages. (Find more information on common time parsing problems see Timestamps, Time Zones, Time Ranges, and Date Formats.)
Panels are active queries that only query data as it is being received into the system prior to messages being indexed, and they only look for messages with a parsed timestamp 10 minutes forward in time or within the window of the current panel time. As messages are received the panel determines if the messages are between X hours/minutes ago to 10 minutes from now:
- If yes, then the message gets added to the panel.
- If no, it is excluded.
If your message times are in PST, but Sumo Logic interprets them as UTC, then the panels will skip the messages as not being current. For example, if the current time is 17:00 UTC, and the log messages coming in have a timestamp of 10:00 (PT), and the service parsed them as 10:00 (UTC) due to a time zone configuration error, then the panel will not show these messages because the parsed time is 7 hours behind the current time and may be outside the current panel window.
Interactive mode is different because it queries the log messages after processing and indexing, and finds messages that have a parsed timestamp that falls within the selected time range, regardless of when they were received by the service. With an interactive search, a message that was received 7 hours before the parsed message is still found by the current query.
The easiest way to check if a timestamp parsing problem or delayed ingest could be causing this problem is to compare the parsed time "Time" field to the time the service received the message. On the panel showing no data, click the Panel or click the Show in Search button to open the query in the Search tab.
When you open the query on the Search page, Sumo Logic provides an option just under the time range selector called Use Receipt Time. Run the query with this option checked.
With this option, you can search by the time Sumo Logic received the messages (or the receipt time in Sumo Logic) instead of the time parsed from the logs. This option displays both the parsed time as well as the receipt time, so you can compare the values. If you see hours of difference between these values, then you probably have a time parsing problem and may need to update your Source configurations, especially the Source or Collector level setting for Use time zone from log file. If none is present use:. The most common issue is that this setting defaults to UTC, when your Source log messages may be generated in a different time zone.
Query to Check Offset of Receipt Time and Message Time
The following query can be run within your account and will display a count of Collectors, Sources, and sourceNames that have a receipt time and parsed message time which are greater than 1 hour. This query should be run over a very small time range with the Use Receipt Time option for the query selected. This query can identify the Sources and sourceNames that could be susceptible to the "No data to display" error in a Dashboard Panel.
* | _receipttime - _messagetime as difference
| difference/1000/60 as diff_minutes
| where diff_minutes < -60 or diff_minutes > 60
| count by _collector, _source, _sourceName