Missing Data

Playbook: Missing Data

Metrics stopped, logs disappeared, or entities vanished. Here's how to diagnose.

Step 1: Is OneAgent Running?

fetch dt.entity.host
| fields entity.name, state, monitoringMode

state: RUNNING = agent is alive. SHUTDOWN = agent stopped or host is down.

Step 2: Agent Events

fetch events, from:now()-24h
| filter event.kind == "FLEET_EVENT"
| fields timestamp, event.name, event.type
| sort timestamp desc
| limit 10

Step 3: Log Ingestion Check

// Is log volume normal?
fetch logs
| makeTimeseries volume=count()

Sudden drop to zero = ingestion stopped. Gradual decline = source changed.

Step 4: Metric Gaps

// Check for gaps in a specific metric
timeseries avg(dt.host.cpu.usage), by:{dt.entity.host}, from:now()-24h

Null values in the array = data gaps during those intervals.

Step 5: Process Group Changes

// Did processes restart or disappear?
fetch dt.entity.process_group
| fields entity.name, lifetime
| limit 20

Step 6: Extension Health

// If extension metrics are missing
fetch dt.entity.custom_device | summarize cnt=count()

Common Causes

Symptom                     Likely Cause                        Fix
──────────────────────────  ──────────────────────────────────  ──────────────────────────
Host shows SHUTDOWN         OneAgent crashed or host rebooted    Check host, restart agent
Metrics have gaps           Network issue or AG overload         Check ActiveGate logs
Logs stopped                Log source changed or rotated        Check log.source paths
Entities disappeared        Process stopped or K8s pod deleted   Check deployment status
Extension data missing      EEC not running or config error      Check extension status in Hub