Incorrect indice creation date

Hello,

I have an issue with the Index Rotation. My Graylog server automatically create a new Indice every day (Index rotation). But sometimes, the creation date entered in Elasticsearch is not correct. The date entered goes back several months before the real date of creation. This is not systematic, but it has happened several days in a row lately. This really bothers me because I use this date to take snapshots of the indexes.

Expected Behavior

The date display by this API request should look like this :
curl -X GET 'my-elastic.server.com:9200/_cat/indices?h=i,cds'
[...]
graylog_120 ... 2022-02-16T00:00:03.168Z
graylog_121 ... 2022-02-17T00:00:01.124Z
graylog_122 ... 2022-02-18T00:00:04.020Z
graylog_123 ... 2022-02-19T00:00:01.236Z
graylog_124 ... 2022-02-20T00:00:01.937Z
graylog_125 ... 2022-02-21T00:00:02.432Z
graylog_126 ... 2022-02-22T00:00:01.796Z
graylog_127 ... 2022-02-23T00:00:01.874Z

Current Behavior

They actually look like this :
graylog_120 ... 2021-11-10T08:36:50.168Z
graylog_121 ... 2021-11-10T08:36:51.124Z
graylog_122 ... 2021-11-10T08:36:51.020Z
graylog_123 ... 2021-11-10T08:36:50.236Z
graylog_124 ... 2021-11-10T08:36:50.937Z
graylog_125 ... 2022-02-21T09:19:38.432Z
graylog_126 ... 2021-11-10T08:36:47.796Z
graylog_127 ... 2022-02-21T09:19:43.874Z

Also, I noticed that the date was often the same, at very close times : 2021-11-10T08:36:XX.xxxZ

I use this creation date to make a snapshot of the indice created the day before. I use a script which do API request to do the snapshot, and then, I use third-party software to store it somewehre else.
Manual index rotation seems to work, but I'm not 100% sure.
There also seems to be the same problem with the snapshot creation date, which I use for monitoring.

My Environment

• 1 Elasticsearch Server :

  • Elasticsearch Version: 7.10.2
  • Operating System: Ubuntu 20.04.2

• 1 Graylog server :

  • Graylog Version: 4.2.6
  • Operating System: Ubuntu 20.04.2

Elasticsearch will create the index that is requested via the API call. So this is something that you will need to ask graylog.

Thank you for your reply,
however, I asked the same question on the Graylog forum and got the following answer:
"Graylog doesn't set the creation date of indices at index rotation. This is done automatically by ES."
(Index rotation : Index creation date incorrect · Issue #12183 · Graylog2/graylog2-server · GitHub)

It's correct that Elasticsearch does set the creation timestamp, and that timestamp is recorded when the request is received.

Where did the "Expected behaviour" output come from?

Ok, I understand. So what does it mean ? I suppose the request is sent every days, at midnight, so what is wrong.

Also, I invented the "Expected behavior" output from the few real results I got in the previous months. Here are some real output examples of correct creation date :

graylog_73 ... 2022-01-01T00:00:10.126Z
graylog_74 ... 2022-01-02T00:00:10.121Z
graylog_75 ... 2022-01-03T00:00:10.123Z
graylog_76 ... 2022-01-04T00:00:10.126Z
graylog_77 ... 2022-01-05T00:00:10.123Z
graylog_78 ... 2022-01-06T00:00:10.123Z

They look correct then?

No, what I mean is that sometimes the creation date is correct, and sometimes not:

graylog_80 ... 2022-01-08T00:00:10.121Z - CORRECT
graylog_81 ... 2022-01-09T00:00:18.193Z - CORRECT
graylog_82 ... 2022-01-10T00:00:10.125Z - CORRECT
graylog_83 ... 2022-01-11T00:00:10.126Z - CORRECT
graylog_84 ... 2022-01-12T00:00:00.313Z - CORRECT
graylog_85 ... 2022-01-11T00:00:18.666Z - INCORRECT
graylog_86 ... 2021-11-10T08:36:51.048Z - INCORRECT
graylog_87 ... 2021-11-10T08:36:50.856Z - INCORRECT
graylog_88 ... 2021-11-10T08:36:50.921Z - INCORRECT
graylog_89 ... 2022-01-17T00:00:10.127Z - CORRECT

But lately, they are mostly incorrect.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.