Common FAQs

This section provides answers to frequently asked questions (FAQs) about the TrueSight IT Data Analytics product:

Why were no records found on performing a search (for the last 60 minutes) even though all records were indexed?

This problem could be caused by an issue with the time-clock synchronization of the various hosts in your environment. This issue could also occur if the time clock of the target host from which you want to collect data and the time clock of the IT Data Analytics server are not synchronized. Furthermore, it might happen if, when you created the data collector, the time zone selected was incorrect, in which case the data is indexed for an incorrect time.

Ensure that all hosts in your environment have their system clocks synchronized so that their time zones are properly set. Also ensure that the time zone is correctly set when you create a data collector.

How many ProactiveNet cells can a single data collector connect with?

A single data collector can connect with a single ProactiveNet cell at one time.

How long does it take for an entry that occurs in a log message to become searchable in the product?

The time lag between the data generated in the logs and the notification may vary from 1 minute up to the data collector poll interval. The time lag depends on multiple factors:

• Poll time of the data collector
• Time lag for the data to be sent to the Indexer (up to approximately 10 seconds)

How long does it take for an event notification to be sent, after the time the event was found?

The time lag between the data generated in the logs and the notification may vary from two minutes up to the notification execution duration.

The time lag depends on multiple factors:

• Poll time of the data collector
• Time delay between the notification executions based on the scheduled duration
• Time lag for the data to be sent to the Indexer (up to approximately 10 seconds)

After running the scheduled maintenance and subsequently restarting the system, I am unable to search for data that occurred during the maintenance window. Why?

When the Collection Agents are restarted, they start reading the data from the time they are restarted, and they ignore old data. Data that occurs between the time when the Collection Agent was stopped and the time when the Collection Agent was started is ignored.

Why is my data not getting indexed?

If the data that you are collecting has a time stamp that is more than 24 hours in the future, that data is not indexed. Therefore, you must ensure that the time settings on the target hosts and the collection hosts are correct and are synchronized. You must also specify the correct time zone when you create the data collector.

If your data file does not have any reference to the year in the time stamp (in syslog files, for example), and at the time of indexing the product detects that the time when the data occurred is ahead of the current time, the product assumes that this data has occurred in the previous year. Such an occurrence might happen if the target host and collection host time settings are not synchronized. Based on the maximum data retention period (set in days), such data might not be indexed.