VMware Cloud Community
Gabrie1
Commander
Commander
‎05-02-2017 06:26 AM

Log Insight entries from Log Insight are obscuring my queries

Hi

When running a query, I constantly also see entries of the log insight server itself that shows how it is building the query. For example:

[2017-05-02 13:24:44.472+0000] [LogSearchWorker.Processor-thread-2647/xx.xx.xx.xx INFO] [com.vmware.loginsight.analytics.distributed.LogSearchWorkerService] [Received query: SELECT COUNT(item0) FROM timestamp >= 1493645084157 AND timestamp <= 1493731485011 AND (text:"performance has deteriorated" OR text:"lost access to volume") as item0 GROUP BY item0.timestamp/3600000 ORDER BY item0.timestamp DESC; token=664093c5610c8d50]

I have no need for these entries. How can I disable them?

Regards

Gabrie

http://www.GabesVirtualWorld.com
Reply
0 Kudos
7 Replies
vmovsisyan
Enthusiast
Enthusiast
‎05-03-2017 01:51 AM

please provide more details like: what do you need to achieve? how does it interfere?

Reply
0 Kudos
Gabrie1
Commander
Commander
‎05-03-2017 02:00 AM

Hi,

Well, I think those entries should never show. The above lines are the result of my query to show all entries with text "performance has deteriorated" OR text:"lost access to volume". I receive the correct results from hosts reporting this, but I ALSO receive the line mentioned in my first post. And that line shows the query that Log Insight is running internally. I think it should not be shown.

It looks as if in my installation, log insight is also syslogging to itself.....

Gabrie

http://www.GabesVirtualWorld.com
Reply
0 Kudos
MichaelRyom
Hot Shot
Hot Shot
‎05-03-2017 03:51 AM

You are logging data from log insight it self. Stop doing that  

Blogging at https://MichaelRyom.dk
Reply
0 Kudos
Gabrie1
Commander
Commander
‎05-03-2017 05:29 AM

You are logging data from log insight it self. Stop doing that 

Yeah, I already figured that out, but HOW ???? I see no setting in Log Insight to send syslog.

http://www.GabesVirtualWorld.com
Reply
0 Kudos
admin
Immortal
Immortal
‎05-03-2017 01:04 PM

I have seen this on rare occasions .You need to find the liagent.ini on the log insight virtual appliance. Change the hostname=<your LI IP will be listed here> to say something.vmware.com ( and yes I mean a hostname that cannot be resolved to a real hostname) the logs will stop being ingested into it self.

Reply
0 Kudos
vmovsisyan
Enthusiast
Enthusiast
‎05-04-2017 02:26 AM

# maybe you could disable liagent on relevant li server:

chkconfig liagentd off

chkconfig --list liagentd

Reply
0 Kudos
admin
Immortal
Immortal
‎05-10-2017 10:56 AM

Did any of the suggestion from Vardan or myself work for you? If yes please mark this question as answered. Thanks!

Reply
0 Kudos