Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Search with absolute-time shows no message, relative shows them #1672

Closed
gruselglatz opened this issue Jan 7, 2016 · 4 comments
Closed

Search with absolute-time shows no message, relative shows them #1672

gruselglatz opened this issue Jan 7, 2016 · 4 comments
Assignees
Labels
Milestone

Comments

@gruselglatz
Copy link

@gruselglatz gruselglatz commented Jan 7, 2016

Hi,

When i perform a search with absolute time-stamps it shows a found messages value but didn't display anything. Only with relative time-stamps i get the messages.

It looks like i can only get the messages out of the last closed index.
http://i.imgur.com/6AnvTF6.png http://i.imgur.com/v1EXGhT.png

System:
Graylog 1.3.2 (e7c49b6) (Hansa)

@gruselglatz gruselglatz changed the title Search with absolute-time shows no message, relative shows it Search with absolute-time shows no message, relative shows them Jan 7, 2016
@joschi
Copy link
Contributor

@joschi joschi commented Jan 7, 2016

@renapu Could you please post the list of used indices for both query types?

@gruselglatz
Copy link
Author

@gruselglatz gruselglatz commented Jan 7, 2016

relative 1d : graylog_175, graylog_186, graylog_185
absolute 2016-01-06 00:00:00.000 +01:00 - 2016-01-07 09:31:00.000 +01:00 : graylog_175, graylog_184, graylog_185

@joschi
Copy link
Contributor

@joschi joschi commented Jan 7, 2016

@renapu Thanks! Could you additionally please provide the calculated index ranges for those indices? You can retrieve that information from MongoDB with the following commands in the MongoDB shell:

# mongo
> use graylog
switched to db graylog
> db.index_ranges.find({"index_name":"graylog_175"})
> db.index_ranges.find({"index_name":"graylog_184"})
> db.index_ranges.find({"index_name":"graylog_185"})
> db.index_ranges.find({"index_name":"graylog_186"})
@gruselglatz
Copy link
Author

@gruselglatz gruselglatz commented Jan 7, 2016

> use graylog
switched to db graylog
> db.index_ranges.find({"index_name":"graylog_175"})
{ "_id" : ObjectId("5685c187e4b02c37e48c2de6"), "index_name" : "graylog_175", "took_ms" : 1996, "calculated_at" : NumberLong("1451606405439"), "end" : NumberLong("1483225196000"), "begin" : NumberLong("1420066801000") }
> db.index_ranges.find({"index_name":"graylog_184"})
{ "_id" : ObjectId("568c5904e4b0820104b2b4ff"), "index_name" : "graylog_184", "took_ms" : 4352, "begin" : NumberLong("1451975412000"), "end" : NumberLong("1452038404936"), "calculated_at" : NumberLong("1452038400421") }
> db.index_ranges.find({"index_name":"graylog_185"})
{ "_id" : ObjectId("568daa84e4b0820104b422dc"), "index_name" : "graylog_185", "took_ms" : 4066, "begin" : NumberLong("1452038315000"), "end" : NumberLong("1452124808842"), "calculated_at" : NumberLong("1452124800492") }
> db.index_ranges.find({"index_name":"graylog_186"})
{ "_id" : ObjectId("568daa80e4b0820104b422d5"), "index_name" : "graylog_186", "took_ms" : 0, "begin" : NumberLong(0), "end" : NumberLong(0), "calculated_at" : NumberLong("1452124800493") }
@joschi joschi added the bug label Jan 8, 2016
@joschi joschi self-assigned this Jan 8, 2016
@joschi joschi added this to the 1.x milestone Jan 8, 2016
joschi pushed a commit that referenced this issue Jan 8, 2016
The index range of the deflector target index can't be calculated until the index
has been rotated, so a dummy range is being used. For this reason, the latest index
*always* has to be included in searches and not only in the case of searches with
relative time range.

Fixes #1672
@bernd bernd closed this in 34ed737 Jan 11, 2016
@joschi joschi modified the milestones: 1.3.3, 1.x Jan 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants