Unable to perform search query after 14 days

Hi All,

I am able to search logs till 14 days in graylog but if I search for 30 days or 60 days it prompt could not execute search error. Please help me to solve this problem.

Graylog version - 2.4.6
Elasticsearch - 5.6

Also sometimes working for 60 days or 30 days but not always. Not able to understand the exact reason why it’s happening.

This is the search configuration on my graylog.

Quick reply will be appreciated.
Thanks

May be look at elasticsearch logs? You should see a stacktrace probably.

Thanks for the reply @dadoonet
I didn't understand stacktrace? Can you please elaborate.

What does surrounding time-range , Surrounding search filter fields and Disabled analysis fields options mean?

My current configuration is:

Is the configuration ok?

I don't know. You'd better ask on this project forum I believe.

Just look at elasticsearch logs.

Nothing unusual found in the elasticsearch logs. Also when I perform search query after 14|30|60 days then sometimes I get:

Details message only print: Unable to perform search query.

What does this error mean?

Elasticsearch log that I received, but I don't think it's related to my query

[2018-12-06T07:07:22,161][DEBUG][o.e.a.s.TransportSearchAction] [es-master03.mykaarma.com] [graylog_850][1], node[dkxlWA-BTuui0UvzZ_gf_A], [P], s[STARTED], a[id=tH_XQPPOSHmorm0hKcUQqw]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[graylog_850, aws_pi_logs_13, batchjob_logs_66, batchjob_logs_78, infralogs_106], indicesOptions=IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true], types=[message], routing='null', preference='null', requestCache=null, scroll=null, maxConcurrentShardRequests=20, batchedReduceSize=512, preFilterShardSize=64, source={
  "from" : 0,
  "query" : {
    "bool" : {
      "must" : [
        {
          "query_string" : {
            "query" : "project:BMW_DATA_DUMP AND endpoint:repairorder",
            "fields" : [ ],
            "use_dis_max" : true,
            "tie_breaker" : 0.0,
            "default_operator" : "or",
            "auto_generate_phrase_queries" : false,
            "max_determinized_states" : 10000,
            "allow_leading_wildcard" : false,
            "enable_position_increments" : true,
            "fuzziness" : "AUTO",
            "fuzzy_prefix_length" : 0,
            "fuzzy_max_expansions" : 50,
            "phrase_slop" : 0,
            "escape" : false,
            "split_on_whitespace" : true,
            "boost" : 1.0
          }
        }
      ],
      "filter" : [
        {
          "bool" : {
            "must" : [
              {
                "range" : {
                  "timestamp" : {
                    "from" : "2018-12-06 07:02:22.145",
                    "to" : "2018-12-06 07:07:22.145",
                    "include_lower" : true,
                    "include_upper" : true,
                    "boost" : 1.0
                  }
                }
              }
            ],
            "disable_coord" : false,
            "adjust_pure_negative" : true,
            "boost" : 1.0
          }
        }
      ],
      "disable_coord" : false,
      "adjust_pure_negative" : true,
      "boost" : 1.0
    }
  },
  "aggregations" : {
    "gl2_histogram" : {
      "date_histogram" : {
        "field" : "timestamp",
        "interval" : "1m",
        "offset" : 0,
        "order" : {
          "_key" : "asc"
        },
        "keyed" : false,
        "min_doc_count" : 0
      },
      "aggregations" : {
        "gl2_stats" : {
          "stats" : {
            "field" : "dealer_number"
          }
        }
      }
    }
  }
}}

If not then from which location I can find the exact search query logs.

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.