Unable to perform search query after 14 days


(Tafsir Alam) #1

Hi All,

I am able to search logs till 14 days in graylog but if I search for 30 days or 60 days it prompt could not execute search error. Please help me to solve this problem.

Graylog version - 2.4.6
Elasticsearch - 5.6

Also sometimes working for 60 days or 30 days but not always. Not able to understand the exact reason why it’s happening.

This is the search configuration on my graylog.

Quick reply will be appreciated.
Thanks


(David Pilato) #2

May be look at elasticsearch logs? You should see a stacktrace probably.


(Tafsir Alam) #3

Thanks for the reply @dadoonet
I didn't understand stacktrace? Can you please elaborate.


(Tafsir Alam) #4

What does surrounding time-range , Surrounding search filter fields and Disabled analysis fields options mean?

My current configuration is:

Is the configuration ok?


(David Pilato) #5

I don't know. You'd better ask on this project forum I believe.


(David Pilato) #6

Just look at elasticsearch logs.


(Tafsir Alam) #7

Nothing unusual found in the elasticsearch logs. Also when I perform search query after 14|30|60 days then sometimes I get:

Details message only print: Unable to perform search query.

What does this error mean?

Elasticsearch log that I received, but I don't think it's related to my query

[2018-12-06T07:07:22,161][DEBUG][o.e.a.s.TransportSearchAction] [es-master03.mykaarma.com] [graylog_850][1], node[dkxlWA-BTuui0UvzZ_gf_A], [P], s[STARTED], a[id=tH_XQPPOSHmorm0hKcUQqw]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[graylog_850, aws_pi_logs_13, batchjob_logs_66, batchjob_logs_78, infralogs_106], indicesOptions=IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true], types=[message], routing='null', preference='null', requestCache=null, scroll=null, maxConcurrentShardRequests=20, batchedReduceSize=512, preFilterShardSize=64, source={
  "from" : 0,
  "query" : {
    "bool" : {
      "must" : [
        {
          "query_string" : {
            "query" : "project:BMW_DATA_DUMP AND endpoint:repairorder",
            "fields" : [ ],
            "use_dis_max" : true,
            "tie_breaker" : 0.0,
            "default_operator" : "or",
            "auto_generate_phrase_queries" : false,
            "max_determinized_states" : 10000,
            "allow_leading_wildcard" : false,
            "enable_position_increments" : true,
            "fuzziness" : "AUTO",
            "fuzzy_prefix_length" : 0,
            "fuzzy_max_expansions" : 50,
            "phrase_slop" : 0,
            "escape" : false,
            "split_on_whitespace" : true,
            "boost" : 1.0
          }
        }
      ],
      "filter" : [
        {
          "bool" : {
            "must" : [
              {
                "range" : {
                  "timestamp" : {
                    "from" : "2018-12-06 07:02:22.145",
                    "to" : "2018-12-06 07:07:22.145",
                    "include_lower" : true,
                    "include_upper" : true,
                    "boost" : 1.0
                  }
                }
              }
            ],
            "disable_coord" : false,
            "adjust_pure_negative" : true,
            "boost" : 1.0
          }
        }
      ],
      "disable_coord" : false,
      "adjust_pure_negative" : true,
      "boost" : 1.0
    }
  },
  "aggregations" : {
    "gl2_histogram" : {
      "date_histogram" : {
        "field" : "timestamp",
        "interval" : "1m",
        "offset" : 0,
        "order" : {
          "_key" : "asc"
        },
        "keyed" : false,
        "min_doc_count" : 0
      },
      "aggregations" : {
        "gl2_stats" : {
          "stats" : {
            "field" : "dealer_number"
          }
        }
      }
    }
  }
}}

If not then from which location I can find the exact search query logs.

Thanks