Log Management and Analytics default limits

The following page lists default limits for the latest version of Dynatrace Log Management and Analytics.

The below limitations apply to both log file ingestion and generic log ingestion via API:

Log event minimum timestamp

The earliest timestamp for a log event is:

The current time minus 2 hours for Log events. This applies to all event sources (OneAgent and generic log ingestion). If the log event contains a timestamp earlier than current time minus 2 hours, the event is dropped.
The current time minus 2 hours for Log metrics.
If the log event contains a timestamp earlier than current time minus 24 hours, the event is dropped and the generic log ingestion API returns a 400 response code. Similarly, if the log metric contains a timestamp earlier than current time minus 2 hours, the metric is dropped.

Limits for your log autodiscovery when using OneAgent.

Log files in OneAgent cannot be deleted earlier than a minute after creation.
Log files in OneAgent must be appended (old content is not updated).
Log files in OneAgent must have text content.
Log files in OneAgent must be opened constantly (not just for short periods of adding log entry).
Log files in OneAgent must be opened in write mode.

Unsupported autodiscovery scenarios

Scenarios that are not supported in the rotated log autodiscovery process include:

Rotated log generation with a directory change. This process could lead to the creation of numerous non-aggregated and/or incomplete logs, as well as to resource overuse.
Rotated log generation with immediate compression, where the application addresses a file with the same name. If a rotation criterion is met (for example, the required file size is reached), the file is moved to another location and immediately compressed. Example: /var/log/application.log -> /var/log/application.log.1.gz -> /var/log/application.log.2.gz -> /var/log/application.log.3.gz. This process might again lead to incomplete log creation.

Log rotation limits

Scenarios that are not supported in the rotated log monitoring process include:

Rotated log generation with a directory change. The potential consequence is the creation of numerous non-aggregated and/or incomplete logs.
Rotated log generation with immediate compression, where the application logs a file with the same name. If a rotation criterion is met (for example, the required file size is reached), the file is moved to another location and immediately compressed. Example: /var/log/application.log -> /var/log/application.log.1.gz -> /var/log/application.log.2.gz -> /var/log/application.log.3.gz. This process might again lead to incomplete log ingest.
Rotated log generation with queue logic, where the oldest log records are removed whenever new content is added to a file, resulting in a relatively constant log file size. This scenario can be easily replaced with a supported rotation scheme by, for example, starting a new file when the current file reaches a predefined size.

Ingest API payload size

For Generic log ingest API: the maximum payload size of a single request is 5 MB. Additional limitations to fields and attributes are listed at Log Monitoring API - POST ingest logs.
For OneAgent: the maximum size of uncompressed upload request position payload is 10 MB.
For OneAgent and Generic log ingest API: the length of a log record is limited to 8,192 characters. Any content exceeding the limit is trimmed (the rest of the log record is skipped). The ingest continues from the beginning of the next log record.

Number of log events in a payload

The maximum count of log events in a single upload is 50,000.

Log event maximum timestamp

The timestamp for a log event is not limited to future time. If the log event contains a timestamp later than 10 minutes in the future, the timestamp of the event is overridden by the current time on the server.

Maximum attributes

A log event can have up to 50 attributes. Additional attributes (as they appear in the JSON stream) are ignored.

High-cardinality attributes

Unique log data attributes (high-cardinality attributes) such as span_id and trace_id generate unnecessarily excessive facet lists that may impact log viewer performance. Because of this, they aren't listed in log viewer facets. You can still use them in a log viewer advanced search query.

Log ingestion API request objects

In addition to generic Dynatrace API limitations (Dynatrace API - Access limit) the following log ingestion API specific limits apply:

LogMessagePlain plain text object.
The length of the message is limited to 8,192 characters. Any content exceeding the limit is trimmed.
LogMessageJson JSON object.
The object might contain the following types of keys (the possible key values are listed below):
- Timestamp. The following formats are supported: UTC milliseconds, RFC3339, and RFC3164. If not set, the current timestamp is used.
- Severity. If not set, NONE is used.
- Content. If the content key is not set, the whole JSON is parsed as the content.
- Semantic attribute. Only values of the String type are supported. Semantic attributes are indexed and can be used in queries. These are also displayed in aggregations (facets). If an unsupported key occurs it is not indexed and cannot be used in indexing and aggregations.
The length of the value is limited. Any content exceeding the limit is trimmed. Default limits:
- Content: 8,192 characters.
- Semantic attribute value: 250 characters.

Sensitive data masking limits

Be aware of the following limitations to sensitive data masking:

Sensitive data masking requires OneAgent version 1.243.
Sensitive data masking in Log Monitoring v1 cannot be migrated to the latest Log Monitoring.
If the masking process takes too much time, the log file affected is blocked until the restart of OneAgent or any configuration change, and then you get the File not monitored - incorrect sensitive data masking rule message.