Identify and resolve log streaming issues

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • Identify and address log streaming issues to ensure that the data inputs you have configured for Health Log Analytics are streaming data properly to your ServiceNow instance.

    Before you begin

    Role required: evt_mgmt_admin

    Procedure

    1. Navigate to All > Health Log Analytics > Streaming Sources.
      The Streaming Sources page shows all data inputs and the MID Servers that are receiving logs from them.
      Note:
      • When Look up hostnames is selected in the advanced data input configuration, the Streaming Sources page shows the hostname of devices that use an Rsyslog or a Filebeat shipper. For Elasticsearch indices, it displays the index name.
      • Streaming Sources is also available as a related list on the data input form. The related list displays only the endpoint devices that are relevant to that data input.
      • If the HLA engine is down and data has stopped streaming, a notification appears at the top of the Streaming Sources page. When this happens, contact ServiceNow support.
    2. Select a data input record to view the streaming data of its sources and identify streaming issues and their possible cause.
      For example, if the last recorded event time for a data input's endpoint server is yesterday, that server might be down or configured incorrectly. A streaming issue might also be caused by the data input configuration file not being installed on the endpoint.
      Filter Description
      Status The status of the source. A red bullet indicates that this source has not streamed data in the last hour.
      Last event time The last recorded time an event arrived at the MID Server in the last one-minute interval.

      Health Log Analytics continuously updates the last event time. If the last event time is not up to date, data is not streaming.
      Raw log lines/sec The average number of raw log lines that streamed to the MID Server per second in the last one-minute interval.
      Note:
      This value represents the number of raw log lines before preprocessing.
      Preprocessed log lines/sec The average number of preprocessed log lines that streamed to the MID Server per second in the last one-minute interval.
      Note:
      This value can differ from the number of raw log lines per second. For example, the difference can be a result of logs having been dropped during preprocessing.
    3. Investigate and resolve any data streaming issues.
      Note:
      If you experience permissions-related issues with streaming log data from Elasticsearch, refer to the Granting privileges for data streams from Elasticsearch [KB0967366] article in the Now Support Knowledge Base.

    What to do next

    When the logs are streaming properly, proceed to map your raw log data.
    Note:
    You can choose to edit incoming raw log data before Health Log Analytics processes it. For example, preprocessing enables you to discard log portions or remove sensitive data from your logs. This task is optional.