How to reprocess raw logs in Sumologic

Question

I added a AWS S3 collector to my sumologic account, then logs started be gathered. In my case those are Application Load Balancer access logs. I also let collector default boundaries detection to "Infer boundaries".

I noticed that some incoming request log entries of https type where merged with those of h2 type.

I then decided to change boundaries detection by a regular expression.

My old log entries gathered by sumologic do not seem to be automatically reprocessed by this new configuration.

How to perform a global reprocessing of logs gathered by my collector so they can be properly parsed?

score 1 · Answer 1 · answered Mar 09 '20 at 16:50

1

I always thought you could update the "Collection should begin" property on the source configuration to a different / previous time from the original value and it would re-ingest from there. If not, however, you might want to consider just creating a new source and backdating that property. https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/AWS-S3-Source

answered Mar 09 '20 at 16:50

the-nick-wilson

566
4
18

It seems à good idea. I'll try it and mark as answered if succeed. Thank you for the path – G. Ghez Mar 10 '20 at 20:39

How to reprocess raw logs in Sumologic

1 Answers1