Can old log files be collected by a TIBCO LogLogic LMI appliance?
Article ID: KB0077856
Updated On:
| Products | Versions |
|---|---|
| TIBCO LogLogic Log Management Intelligence | all versions |
Description
Typically, ingesting old data is a one time event however, LMI only supports file collection using a file transfer rule that is intended to run on a recurring scheduled basis. So after LMI has collected and processed the file once then there is typically no reason to keep the file transfer rule enabled for a one-time file ingestion. In fact, we highly recommend disabling the file transfer rule if it's a one-time ingestion, otherwise LMI will repeatedly collect the file using the defined schedule. This will result in wasted resources. You can also simply delete the file transfer rule if you wish but keep the log source entry for future searching purposes.
Unless the file-based data is from a device or application that is supported by Log Source Packages the device type for this data will be OtherFileDevice. A new instance of that type must be manually created first and then a file transfer rule can be created that is associated with that source entry.
There is one exception to this procedure working for old file-based data. If the events do not contain a date/timestamp in a format that LMI can recognize (i.e. parse) then the time associated with the events is the collection time, just like LMI uses for syslog data. This is normally only an issue for custom applications that don't use a standard date/time format. If this occurs then all the old events will be associated with the same time corresponding to the collection time and must be searched using that time instead of the original event time.
Issue/Introduction
Feedback
