New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Search with absolute-time shows no message, relative shows them #1672

Closed
gruselglatz opened this Issue Jan 7, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@gruselglatz

gruselglatz commented Jan 7, 2016

Hi,

When i perform a search with absolute time-stamps it shows a found messages value but didn't display anything. Only with relative time-stamps i get the messages.

It looks like i can only get the messages out of the last closed index.
http://i.imgur.com/6AnvTF6.png http://i.imgur.com/v1EXGhT.png

System:
Graylog 1.3.2 (e7c49b6) (Hansa)

@gruselglatz gruselglatz changed the title from Search with absolute-time shows no message, relative shows it to Search with absolute-time shows no message, relative shows them Jan 7, 2016

@joschi

This comment has been minimized.

Contributor

joschi commented Jan 7, 2016

@renapu Could you please post the list of used indices for both query types?

@gruselglatz

This comment has been minimized.

gruselglatz commented Jan 7, 2016

relative 1d : graylog_175, graylog_186, graylog_185
absolute 2016-01-06 00:00:00.000 +01:00 - 2016-01-07 09:31:00.000 +01:00 : graylog_175, graylog_184, graylog_185

@joschi

This comment has been minimized.

Contributor

joschi commented Jan 7, 2016

@renapu Thanks! Could you additionally please provide the calculated index ranges for those indices? You can retrieve that information from MongoDB with the following commands in the MongoDB shell:

# mongo
> use graylog
switched to db graylog
> db.index_ranges.find({"index_name":"graylog_175"})
> db.index_ranges.find({"index_name":"graylog_184"})
> db.index_ranges.find({"index_name":"graylog_185"})
> db.index_ranges.find({"index_name":"graylog_186"})
@gruselglatz

This comment has been minimized.

gruselglatz commented Jan 7, 2016

> use graylog
switched to db graylog
> db.index_ranges.find({"index_name":"graylog_175"})
{ "_id" : ObjectId("5685c187e4b02c37e48c2de6"), "index_name" : "graylog_175", "took_ms" : 1996, "calculated_at" : NumberLong("1451606405439"), "end" : NumberLong("1483225196000"), "begin" : NumberLong("1420066801000") }
> db.index_ranges.find({"index_name":"graylog_184"})
{ "_id" : ObjectId("568c5904e4b0820104b2b4ff"), "index_name" : "graylog_184", "took_ms" : 4352, "begin" : NumberLong("1451975412000"), "end" : NumberLong("1452038404936"), "calculated_at" : NumberLong("1452038400421") }
> db.index_ranges.find({"index_name":"graylog_185"})
{ "_id" : ObjectId("568daa84e4b0820104b422dc"), "index_name" : "graylog_185", "took_ms" : 4066, "begin" : NumberLong("1452038315000"), "end" : NumberLong("1452124808842"), "calculated_at" : NumberLong("1452124800492") }
> db.index_ranges.find({"index_name":"graylog_186"})
{ "_id" : ObjectId("568daa80e4b0820104b422d5"), "index_name" : "graylog_186", "took_ms" : 0, "begin" : NumberLong(0), "end" : NumberLong(0), "calculated_at" : NumberLong("1452124800493") }

@joschi joschi added the bug label Jan 8, 2016

@joschi joschi self-assigned this Jan 8, 2016

@joschi joschi added this to the 1.x milestone Jan 8, 2016

joschi added a commit that referenced this issue Jan 8, 2016

Always include index range of deflector target index
The index range of the deflector target index can't be calculated until the index
has been rotated, so a dummy range is being used. For this reason, the latest index
*always* has to be included in searches and not only in the case of searches with
relative time range.

Fixes #1672

@bernd bernd closed this in 34ed737 Jan 11, 2016

@joschi joschi modified the milestones: 1.3.3, 1.x Jan 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment