New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Absolute and relative time spans give different results #1572

Closed
mstipanov opened this Issue Nov 18, 2015 · 9 comments

Comments

Projects
None yet
6 participants
@mstipanov

mstipanov commented Nov 18, 2015

When I search using relative time, I'm getting results, but when I switch to absolute I get nothing :(

I'm using v1.2.2

@zhka

This comment has been minimized.

zhka commented Nov 18, 2015

I also encountered this problem.
No-relative-query returns bad result during 3 hours after create new index. I'm using:

POST /system/indices/ranges/rebuild

to temporarily fix the problem after each index rotation.

@zhka

This comment has been minimized.

zhka commented Nov 18, 2015

Problem with range re-calculate for new index (without data).
Ranges after create new index (in mongodb):

{ 
"_id" : ObjectId("564c78af84ae94264062b50b"), 
"index_name" : "graylog2_146", 
"took_ms" : 125, 
"begin" : NumberLong(0), 
"end" : NumberLong(0), 
"calculated_at" : NumberLong("1447852207488") 
}

and after run "POST /system/indices/ranges/rebuild"

{
"_id" : ObjectId("564c7d9e84ae94264062ba86"), 
"index_name" : "graylog2_146", 
"took_ms" : 12, 
"begin" : NumberLong("1447852205000"), 
"end" : NumberLong("1447864167000"), 
"calculated_at" : NumberLong("1447853470338") 
}
@joschi

This comment has been minimized.

Contributor

joschi commented Nov 18, 2015

@zhka What you've posted is the default index range for a newly created index, e. g. when indices are being rotated. As long as the index is the current target of the deflector alias ("graylog_deflector"), that's fine as it's always included in search queries.

@drewmmiranda

This comment has been minimized.

drewmmiranda commented Nov 18, 2015

Any ideas on how we can help provide troubleshooting data. This continues to be a pain point. I'm looking to expand our use of alerts and would like the recipients of the emails to be able to click on the alert URL and see the messages relevant for that time period. Right now this does not work correctly. Any ideas or leads on this? Much appreciated!

@rrtj3

This comment has been minimized.

rrtj3 commented Dec 2, 2015

We're on 1.2.2 and having the same issue. Relative searches work fine but absolute searches return nothing. Rebuilding the indexes fixes it for a short time. Sometimes minutes, sometimes hours. We haven't been able to see a pattern yet. We use time based rotation 8h per index with retention_strategy of delete.

@onyxmaster

This comment has been minimized.

onyxmaster commented Jan 10, 2016

Same here, relative search works, absolute doesn't (at least for the last 8 hours with large traffic).

@onyxmaster

This comment has been minimized.

onyxmaster commented Jan 10, 2016

I believe this should be a very important case because it leads to missing (at least from the query point of view) data. Almost anything can be tolerated, except this.

@onyxmaster

This comment has been minimized.

onyxmaster commented Jan 10, 2016

It appears that the problem lies in filtering the current index. When I select the absolute time range that lies entirely within the current index, everything is found properly. But when the range intersects the current index and the previous one, only data from previous index is found.

@joschi

This comment has been minimized.

Contributor

joschi commented Jan 11, 2016

Related to #1672 (and will be fixed in Graylog 1.3.3).

@joschi joschi closed this Jan 11, 2016

@joschi joschi added this to the 1.3.3 milestone Jan 11, 2016

@joschi joschi added the bug label Jan 11, 2016

@joschi joschi self-assigned this Jan 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment