james.hardman@h Absent Member.
Absent Member.
708 views

Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

Hi,

I am currently seeing some events from our logger to our ESM take minutes to arrive.  We are not losing/dropping events, I cannot see any caching on the logger (in agent.out.wrapper.log) but when setting up and active channel on the ESM for logger and using the local variables (see attached)  to see the time differences between the END TIME, AGENT TIME and MANAGER RECEIPT TIME, there is minutes difference on some events (see attached, times are in minutes, not seconds).

We suspect the logger is the issue.  It does not seem to be under too much heavy load (average 300-400 EPS in/out, CPU averaged 30%).

Is there anything that may be causing this? Is there anything I can check additionally?

Cheers,

Jimmy

Labels (2)
0 Likes
Reply
1 Solution

Accepted Solutions
james.hardman@h Absent Member.
Absent Member.

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution


This is now fixed.  We have to change the forwarder query on the logger from a Unified Query to a RegEx query.  There seems to be a bug in the software and it cannot handle the indexing side of Unified queries.  We now have no delay between our events.

View solution in original post

0 Likes
Reply
7 Replies
Ignight71 Absent Member.
Absent Member.

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

Maybe the logger is sitting on a cache that is slowly bleeding into the ESM. For this I probably would try: stopping the logger connector process, clearing the agentdata folder on the logger forwarding connector, starting the connector up again.

Note:

endTime:

  • End of Event. Defaults to deviceReceiptTime. If there is no deviceReceiptTime than it will be matched to agentReceiptTime.

Also, you aren't sending directly to the Logger right? If you are you might want to check NTP settings are correct on the device.

Good luck,

Aaron

0 Likes
Reply
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

Do you have connectors sending events to your logger? The bottleneck maybe there. The time fields you are referring to usually are associated with connectors, not logger.

Neil

0 Likes
Reply
james.hardman@h Absent Member.
Absent Member.

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

Hi,

The NTP settings are correct, all (3) the cache files are 0 bytes in the agentdata folder.

The logger has been reboot several times recently - no change.

There is a different between the ENDTIME and AGENT TIME which indicates to me that the source device IS setting the END TIME.

Regards,

Jimmy

0 Likes
Reply
james.hardman@h Absent Member.
Absent Member.

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

I thought that but when you look at the AGENT HOSTNAME it's the loggers hostname.  Could this a red-herring?


Regards,

Jimmy

0 Likes
Reply
james.hardman@h Absent Member.
Absent Member.

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution


This is now fixed.  We have to change the forwarder query on the logger from a Unified Query to a RegEx query.  There seems to be a bug in the software and it cannot handle the indexing side of Unified queries.  We now have no delay between our events.

View solution in original post

0 Likes
Reply
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

Did they give you a bug number for this? I have seen similar issues and would like something to refer to. Thanks.

0 Likes
Reply
james.hardman@h Absent Member.
Absent Member.

Re: Agent Time stamp and Manager Time stamp minutes apart

Jump to solution

Unfortunately they did not.

We were advised to upgrade to the latest logger version but that is not an option for us at the moment, thus the RegEx query is the solution.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.