Hi
When running a query, I constantly also see entries of the log insight server itself that shows how it is building the query. For example:
[2017-05-02 13:24:44.472+0000] [LogSearchWorker.Processor-thread-2647/xx.xx.xx.xx INFO] [com.vmware.loginsight.analytics.distributed.LogSearchWorkerService] [Received query: SELECT COUNT(item0) FROM timestamp >= 1493645084157 AND timestamp <= 1493731485011 AND (text:"performance has deteriorated" OR text:"lost access to volume") as item0 GROUP BY item0.timestamp/3600000 ORDER BY item0.timestamp DESC; token=664093c5610c8d50]
I have no need for these entries. How can I disable them?
Regards
Gabrie
please provide more details like: what do you need to achieve? how does it interfere?
Hi,
Well, I think those entries should never show. The above lines are the result of my query to show all entries with text "performance has deteriorated" OR text:"lost access to volume". I receive the correct results from hosts reporting this, but I ALSO receive the line mentioned in my first post. And that line shows the query that Log Insight is running internally. I think it should not be shown.
It looks as if in my installation, log insight is also syslogging to itself.....
Gabrie
You are logging data from log insight it self. Stop doing that
You are logging data from log insight it self. Stop doing that
Yeah, I already figured that out, but HOW ???? I see no setting in Log Insight to send syslog.
I have seen this on rare occasions .You need to find the liagent.ini on the log insight virtual appliance. Change the hostname=<your LI IP will be listed here> to say something.vmware.com ( and yes I mean a hostname that cannot be resolved to a real hostname) the logs will stop being ingested into it self.
# maybe you could disable liagent on relevant li server:
chkconfig liagentd off
chkconfig --list liagentd
Did any of the suggestion from Vardan or myself work for you? If yes please mark this question as answered. Thanks!