diff --git a/docs/send-data/collector-faq.md b/docs/send-data/collector-faq.md index e4b497b020..f6e7b0d0ba 100644 --- a/docs/send-data/collector-faq.md +++ b/docs/send-data/collector-faq.md @@ -419,9 +419,15 @@ This article describes the assumptions that Sumo makes about customer data, tips See [using _format for troubleshooting](/docs/send-data/reference-information/time-reference.md) timestamps. -#### Assumption: Data is less than 365 days old +#### Assumption: Data is less than 30 days but within 365 days -Sumo Logic assumes that all log message times fall within a window of -1 year through +2 days compared to the current time. Any log messages with a parsed timestamp outside of that window is automatically re-stamped with the current time. +* To ingest historical data older than 30 days but within 365 days, you must specify a `timestamp` field using a regex locator and a valid date format. + +#### Assumption: Data is older than 365 days + +Sumo Logic assumes that all log message times fall within a window of -1 year through +2 days compared to the current time. Any log messages with a parsed timestamp outside of that window are automatically re-stamped with the current time. +* Data older than 365 days can still be ingested. However, even if a custom timestamp is provided, it will be autocorrected to the current time unless technical support disables this function at the organization level. +* To ingest data older than 365 days with the original timestamp intact, you'll need to contact [Support](https://support.sumologic.com/support/s) to disable the autocorrection function at the org level. #### Assumption: Data from a source will have similar timestamps diff --git a/docs/send-data/reference-information/time-reference.md b/docs/send-data/reference-information/time-reference.md index 80f7540ccf..f77deb04db 100644 --- a/docs/send-data/reference-information/time-reference.md +++ b/docs/send-data/reference-information/time-reference.md @@ -33,7 +33,7 @@ If your log messages from a Source contain multiple timestamps, timestamps in un The Collector assumes that all log messages coming from a particular Source will have timestamps that are close together. If a message comes through that appears to be more than one day earlier or later than recent messages from that Source it will be auto-corrected to match the current time. You can stop this auto-correction by explicitly configuring a custom timestamp format on your Source. -The Collector also assumes that all log messages coming from a particular Source will have timestamps that are within a window of -1 year through +2 days compared to the current time. Any log message with a parsed timestamp outside of that window is automatically re-stamped with the current time. You must contact [Sumo Logic Support](https://support.sumologic.com/) to adjust this auto-correction behavior. See [How to ingest old or historical data](/docs/send-data/collector-faq#how-to-ingest-old-or-historical-data) for further details. +The Collector also assumes that all log messages coming from a particular Source will have timestamps that are within a window of -1 year through +2 days compared to the current time. Any log messages with a timestamp older than 30 days is automatically set to the current time. You must contact [Sumo Logic Support](https://support.sumologic.com/) to adjust this auto-correction behavior. See [How to ingest old or historical data](/docs/send-data/collector-faq#how-to-ingest-old-or-historical-data) for further details. ### Automated timestamp parsing