Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Search query fails with large number of indices #4054
Graylog (or rather Jest) is sending HTTP requests with a large initial line (URI path and query string) to the Elasticsearch HTTP API if a large number of indices is included in the search query (e. g. when searching in "All messages").
Search queries covering a lot of indices should work.
Search queries covering a lot of indices fail with an internal server error (HTTP 500) and produce an error message in the Elasticsearch logs:
Patch Jest to send index names in the POST body.
Steps to Reproduce (for bugs)
I think we should check the length of the URL and use
The only drawback which comes to mind is that we might touch more indices than needed. This might be an issue with older Elasticsearch versions because of fielddata loading, but shouldn't be an issue with Elasticsearch 5. (AFAIK)
Increasing an Elasticsearch setting, which requires an Elasticsearch restart, as a workaround until we have a proper fix is okay, but this is not really a solution in my opinion. Since this is HTTP, there might be proxies in between Graylog and ES which might not support this limit. (mentioned by @kroepke)