The unknown.unknown tag is one of the special tags that are not actually used to identify a specific kind of data. It is a catch-all tag that is applied to any message that is received by Devo with:
- An unrecognized tag
- A malformed tag
- No tag at all
Rather than reject improperly tagged events, Devo assigns the events the unknown.unknown tag, and saves the event to a file of the same name. This is done to avoid data loss and to aid in troubleshooting.
If you see this table in the Finder, it is a clear message that some events are not being tagged correctly. You should review to contents of the table and investigate why the events are not tagged correctly. Because the event was not correctly tagged, Devo is unable to parse the event fields so the event's message content is saved in a single column called message. The other columns in the unknown.unknown data table are:
- eventdate - when the event was received by Devo
- level - event's the syslog level
- hostchain - the event's source machine; both hostname and IP address if available
The combination of the information provided should help you identify the data source and take steps to correct the tagging problem.