Troubleshoot Log Analytics configuration

This document shows you how to resolve errors that might occur whenusing theLog Analytics page of the Google Cloud console.

Error messages

This section describes error messages you might see, and how to resolve thecorresponding error conditions.

No completion signal within allotted timeframe error message

You enter a SQL query and selectRun query. The query doesn't complete andyou see the following error message:

The query failed to execute and return results due to error: No completion signal within allotted timeframe.

To resolve this error, do one of the following:

  • Shorten the interval over which logs are queried and then retry the query.For example, if a query interval is 14 days, shorten the interval to 7 days,and then run the query.

  • Create alinked BigQuery datasetand then run the query from the BigQuery interface. TheBigQuery interface supports queries that require a longer executiontime than the Cloud Logging interface. For more information, seeQuery a linked BigQuery dataset.

Queries against buckets with distinct CMEK keys error message

You enter a SQL query that queries multiple log buckets and selectRun query. The query doesn't complete andyou see the following error message:

Queries against buckets with distinct CMEK keys must have a key configured in the LogSettings.

To resolve this situation, do one of the following:

  • Configure your log buckets to use the same Cloud Key Management Service(Cloud KMS) key.
  • When the log buckets are in the same location, you can configurea folder or organization that is a parent resource for the logbuckets with a default Cloud KMS key. The parent's default keymust be in the same location as the log buckets.With this configuration, the parent's default keyencrypts any temporary data generated by the Log Analytics query.For more information, seeLog Analytics restrictions.

FROM clause must contain exactly one view error message

You enter a SQL query in the query pane of theLog Analytics pagein the Google Cloud console, but the SQL parser displays the followingerror:

FROM clause must contain exactly one log view

The previous error is reported when the table specified in theFROMstatement can't be resolved to a specific log view.

To resolve this error, ensure that your table name has the proper syntax:

  • Ensure that the table name follows the syntax required by theLog Analytics naming scheme. BigQuery and Log Analytics havedifferent requirements for the table name. You can find the requiredsyntax for the table name byviewing the default query.

  • If the Google Cloud project ID, region, bucket ID, or view ID of alog bucket contains period characters,(.), then ensure that each of thesefields is wrapped by single backquotes,(`).

    For example, if a Google Cloud project ID isexample.com:bluebird, then toquery the_AllLogs view of the_Default log bucket,use the following syntax to specify the table:

    SELECT *FROM `example.com:bluebird`.`global`.`_Default`.`_AllLogs`

    The previous query assumes that the_Default bucket is in theglobalregion.

Unable to save a query

You want to save your current query, so you run the query and thenclickSave but theSave query option isdisabled or you can't complete the dialog steps.

When theSave query option is disabled, your organization or folder'sdefault resource settings define a location that isn't allowed by theorganization policy. To resolve this failure, ask theadministrator of your organization to define a location in the default resourcesettings that matches a location that is allowed by your organization policy.For more information, seeConfigure default settings for organizations and folders.

If theSave query option is enabledbut you can't complete the dialog and save the query, then do the following:

  1. Ensure that the query doesn't contain syntax errors.You can only save valid queries.
  2. Optional: Copy the query into your clipboard.
  3. Reload the page.
  4. If you copied the query into your clipboard, then paste the query intotheQuery pane, run the query, and then perform the save operation.

Unable to create an analytics view

You want to create an analytics view, so youenter and run a SQL query and then clickSavebut theSave as analytic view option is disabled.

To resolve this situation, ensure that your IAM roles includethe following permissions:

  • observability.analyticsViews.{get, list, create, update, delete}

These permissions aren't included in any predefined Cloud Logging role.For information about the required roles, seeCreate and query analytics views: Before you begin.

Unable to query an analytics view

You want to query analytics view, but theViews pane in theLog Analytics page doesn't show any analytics views.

To resolve this failure, try the following:

  • Ensure that your IAM roles include the following permissions:

    • observability.analyticsViews.{get, list}

    These permissions aren't included in any predefined Cloud Logging role.For information about the required roles, seeCreate and query analytics views: Before you begin.

  • Ensure that analytics views exist in your Google Cloud project.

Access denied to theLog Analytics page

You open theLog Analytics page in the Google Cloud consoleand a permission-denied error message is displayed.

To get the permissions that you need to load theLog Analytics page, run queries andview logs, ask your administrator to grant you the following IAM roles on your project:

You might also be able to get the required permissions throughcustom roles, or Loggingpredefined roles.

The permissions that you need to view log entries and run queries on theLog Analytics page are the same as those that you need to viewlogs on theLogs Explorer page. For information aboutadditional roles that you need to query views on user-defined buckets orto query the_AllLogs view of the_Default log bucket, seeCloud Logging roles.

Upgrade of log bucket to use Log Analytics fails

You create a log bucket and select the option to use Log Analytics,or you upgrade an existing log bucket to use Log Analytics.The upgrade fails with an error condition similar to:

Failed precondition (HTTP 400): Constraint "my-constraint" violated forPROJECT_ID  with location global.

The previous error message indicates that your organization has configured anorganizational policy that restricts the regions that can be used. Log bucketsthat are eligible to be upgraded to use Log Analytics must use theglobal region. If you can remove the organizational policy restrictingusage of theglobal region, then you can upgrade your log bucket. Otherwise,you can't upgrade your log buckets.

Creating a linked BigQuery dataset fails

You edit a log bucket to create a linked BigQuery dataset or youcreate a new log bucket and select the option to create a linked dataset;however, the linked dataset isn't created.

To resolve this error, ask the system administrator for the Google Cloud projectto grant you an IAM role that includes thefollowing permission:

  • logging.links.create

The previous permission is included in the Logging Admin (roles/logging.admin)and Logs Configuration Writer (roles/logging.configWriter) roles.

For information about roles and permissions, seeAccess control with IAM.

Deleting a linked BigQuery dataset fails

You no longer want the linked dataset but the option to delete that datasetis disabled.

To resolve this error, ask the system administrator for the Google Cloud projectto grant you an IAM role that includes thefollowing permission:

  • logging.links.delete

The previous permission is included in the Logging Admin (roles/logging.admin)and Logs Configuration Writer (roles/logging.configWriter) roles.

This permission lets you delete the linked dataset from theLogs Storage page of the Google Cloud console.For more information about roles and permissions, seeAccess control with IAM.

Query engine settings button is missing

If theSettings button isn't displayednext to theRun query button, then your Google Cloud project doesn't havereserved BigQuery slots enabled. To enable theSettings button,configure reservedBigQuery slots for your project.

Run on BigQuery button is disabled

If theRun on BigQuery button is displayed but disabled,then a log view referenced by your query doesn't have a linked dataset.To run your query on your BigQuery slot reservations,create a linked BigQuery dataset on yourlog view.

No Monitoring Service Account

You want to create an alerting policy to monitor the results of a SQL query.The setup steps required that you grant IAM rolesto the Monitoring Service Account, but that account doesn't exist.

TheMonitoring Service Accountis called aservice agent, because it is created and managed byGoogle Cloud. The account is created automatically when you configure aresource or service that requires the account. For example, if you create aPub/Sub notification channel, then that action might cause theMonitoring Service Account to be created.

To create the Monitoring Service Account and grant it the permissions requiredfor SQL-based alerting policies, do the following:

  1. Create the Monitoring Service Account. For more information, seeCreate and grant roles to service agents.

  2. Grant the following roles to the Monitoring Service Account:

Monitoring Service Account permission denied error

You want to create an alerting policy to monitor the results of a SQL query.However, you see aPermissionDenied error with a message that starts withError authenticating service account.

To resolve this failure, grant the following roles to the Monitoring ServiceAccount:

There are duplicate log entries in my Log Analytics results

You run a query that is counting or reporting duplicate entries.Because the Logs Explorer removes duplicate entries based on log name,timestamp, and insert ID, you expect Log Analytics to de-duplicate log entriesbefore a query is run.

Log Analytics doesn't perform the same type of deduplication that is performedby the Logs Explorer.

To resolve duplicate log entries, try the following:

  1. Determine if the duplicate log entries have different receive timestampvalues. When the timestamps differ, that indicates that the same data waswritten to Logging multiple times.

    To resolve duplicate writes, investigate your logging integration for errormessages or misconfigurations.

  2. If your bucket is configured to use Cloud Key Management Service keys, then ensure that youare withinquota and that your key is consistentlyaccessible. Going over quota or loss ofkey access can result in duplicate log entries.

    To resolve these failures, ensure that you don't exceed your quota and thatyour key is accessible.

  3. Modify your query to remove duplicate log entries.

    Note: Modifying your SQL query to perform row qualification will slowthe query computation. Therefore, we recommend that you use this approachonly when the query is sensitive to duplicate log entriesor when the results must not contain duplicate entries.

    For example, assume that the JSON payload containsfieldA andfieldB,the first is a string and the second is numeric.Also, assume that the JSON payload contains afield labeledserver, which contains a string. Next,consider the following query:

    SELECTJSON_VALUE(json_payload.fieldA)ASfieldASUM(IFNULL(SAFE_CAST(JSON_VALUE(json_payload.fieldB)ASINT64),0))ASsum_fieldBFROM`VIEW`WHEREJSON_VALUE(json_payload.server)="test"GROUPBYfieldA;

    You can modify the query to remove duplicate log entries, where thelog name, timestamp, and insert ID are examined to determine whethera log entry is a duplicate:

    WITHdeduplicatedAS(SELECTJSON_VALUE(json_payload.fieldA)ASfieldAIFNULL(SAFE_CAST(JSON_VALUE(json_payload.fieldB)ASINT64),0)ASfieldBFROM`VIEW`aWHEREJSON_VALUE(json_payload.server)="test"QUALIFYROW_NUMBER()OVER(PARTITIONBYa.log_name,a.timestamp,a.insert_id)=1)SELECTfieldA,SUM(fieldB)ASsum_fieldBFROMdeduplicatedGROUPBYfieldA;

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.