Monitoring log data flow and optimizing integration settings in Health Log Analytics
The Overview screen in Health Log Analytics provides a comprehensive view of the components in the log-processing pipeline of a specific active integration. From this screen, you can troubleshoot any streaming issues for this integration and adjust its settings if needed.
The Overview screen shows the log data streaming status and streaming sources of an active integration. It provides direct access to the Data Input Mapping, Source Type Structures, and Log Sources pages, as well as the Log Viewer, all with context from the current integration.
Streaming status
The ServiceNow AIOps component shows the total number of alerts that the HLA engine has created. These statistics are updated when the Overview screen loads and are automatically refreshed every minute to show live data. You can change the default auto-refresh time interval through the system property sn_itom_integ_app.overview_page_data_input_stats_auto_refresh_interval_seconds.
If data streaming fails, the integration is automatically deactivated and the Streaming status marks the component where the failure occurred. In addition, a banner explains the failure and either proposes steps to take to fix it or refers to ServiceNow support.
For MID-less or OpenTelemetry Protocol (OTLP) integrations, such as Amazon Data Firehose, the Overview screen displays the ITOM Gateway as a component in the log-processing pipeline. The MID Server component is not shown in the pipeline, because log data is sent directly from the source to the ITOM Gateway. The logs are then processed by the HLA engine to find anomalies.
Log streaming sources
| Column | Description |
|---|---|
| Name | The name of the log data source. |
| Status | The streaming status: Active or Not active. |
| Data input | The integration streaming the data to your ServiceNow instance. |
| MID Server | The MID Server to which the log data is streaming. |
| Last event time | The time when the integration received the latest event. |
| Last log processing time | The time when the last log was received or processed. |
| Raw log lines/sec | The average number of raw log lines that streamed to the MID Server per second in the last one-minute interval. Remarque : This value represents the number of raw log lines before preprocessing. |
| Pre-processed log lines/sec | The average number of preprocessed log lines that streamed to the MID Server per second in the last one-minute interval. Remarque : This value can differ from the number of raw log lines per second. For example, the difference can be a result of logs having been dropped during
preprocessing. |
Example
As an admin, you use the integration Overview page to verify continuous data flow into the ServiceNow instance. If log streaming fails, HLA doesn't receive the real-time data needed to detect anomalies or generate alerts.
For example, the Streaming Status for an active Elasticsearch integration may show a red circle with a white X for the MID Server component in the log-processing pipeline. This indicates that logs are not reaching the MID Server.
The Log Streaming Sources table shows a state of Authentication Failed or Connection Error, with an error message indicating invalid credentials. This points to an issue with the Elasticsearch credentials. Fixing the credentials and either restarting the log service or waiting for the next polling cycle, restores the connection.
The Log Streaming Sources table now shows a connection state of Connected or Active with successful authentication. The Streaming Status displays a green circle with a white check mark for the MID Server component. With log streaming restored, HLA can resume processing data and generating anomaly alerts.