API - Search limits - Unable to perform search query

Development
1

Hi,

I’m trying to produce searches using API calls through a JS App.

My function works partially as it encounters an ‘Unable to perform search query’ error for some searches:

{type: 'ApiError', message: 'Unable to perform search query'}

For the moment I suppose it is linked with the limit parameter as it seems the failing requests are the ones that should be resulting in more than 1000 lines. The same requests works perfectly when tested directly from the graylog interface.

However increasing the limit value does not resolve the problem. I’m working with Graylog 4.0.15+a7bed0d (Used the ova available).

The elasticsearch / graylog-server services do not print any log.

EDIT 1

I tested 5 searches with the js function:

  • 1st that should return 1024 line → PASSED
  • 2nd that should return 7427 lines → FAILED
  • 3rd that should return 2963 lines → FAILED
  • 4th that should return 1260 lines → PASSED
  • 5th that should return 2605 lines → PASSED

All requests were tested with a limit=10000, range=0

I tested the same searches using the API testing interface

([Legacy/Search/Relative] : Message search) → [GET] /search/universal/absolute

With limit value undefined and range equals 0 and the search WORKED perfectly for any value :frowning:

EDIT 2

I compared my request generated by the JS function and the request generated by the API testing interface. When using exactly the same parameters:

The request from my js function returns a response with 150 lines content ( the fedault limit I guess ?)

However manually increasing the limit parameter seems to fail when it the result content is higher than Approximatively 2605 - 2963 (On my instance)

Here is my js function:

function search(query){

        let sessionId= "72175d8b-fc70-43fd-8146-8beded5d212a"

        let body = $.param({
            "query": query,
            "range":0,
            "decorate":true
        });

        let xhttp = new XMLHttpRequest();
        xhttp.open("GET", "http://192.168.X.X:9000/api/search/universal/relative?"+body+"&limit=1000", false);
        xhttp.setRequestHeader("Authorization", "Basic "+btoa(sessionId+":session"));
        xhttp.setRequestHeader("X-Requested-By", "XXX");
        xhttp.setRequestHeader("Accept", "application/json");
        xhttp.send();

        return JSON.parse(xhttp.responseText)
    }
2

Hello @weird-oecophylla

If I understand this correct, in the GL’s API browser when executing test on API call it works flawlessly and some of the API calls from App JS work but not all of them, hence “Unable to perform search query”? If this is correct this seams kind of odd.

When the API call fails how is this Graylog server acting, meaning is the journal full, resources high?

3

Hello @gsmith

It is not exactly the problem, the graylog service seems to be fine.

The problem is the limitation in number of lines returned for each search when using the API:

If you use the API with an external tool (JS App in my case), the number of lines as result will be limited to 150 by default.

You can fix the limit value manually. But: increasing the limit value does not work properly:

During my tests, I fixed the limit value to 10000 (fixing the value higher would lead to systemic failure of the searches)

As you can see in my first post, searches with more than 2605 lines in the results will fail.

However, if you test exactly the same API endpoint with the Api testing interface from graylog, you can keep the limit parameter undefined and graylog will give any unlimited results whatever the number of lines that should be returned (I tested a search that returned more than 6000 lines)

4

Hello,

I understand now.
My apologies I’m really tired, I should have paid more attention.
Couple question.

Was this only test made from JS App, and have you tried something else besides JS App to see if you get the same results?

If there isn’t a problem with Graylog API calls from the API browser but is a problem sending API calls externally even thou you increase the limit which in turn created a failure perhaps this might be a bug in that version.

You could post this question using the link below, most of the dev’s will see it.

5

First some precision: During my test on the Api testing interface I did not set the limit value and misunderstood the json result: I had a “total_result” about 5000 but the size of the response was to its default value (150). Testing the Api interface with limits above 3000 can’t be done because the browser would crash because of a lack of resources I guess)

I tested the same requests with Postman and I did not get exactly the same behavior:

The first time I used postman I could not get more result (field “size” in the json result) but I did not get the same error !
I got the error “Error: Maximum response size reached”. So i increased the limit to 1000MB and then I could get much more result: up to 5000 sized json result !

However, the same behovior is back once I try to get more than approximately 5000 size json result.

This mean the limits I encountered when using my JS App could be increased ( certainly by modify the accepted size of result).

But the problem keeps running for value above 5000 lines.

6

Hello,

So when 5000 JSON requests is reached you get "Unable to perform search query’? I believe anytime a query is performed this would be done by Elasticsearch. I haven’t done a API call in a while but I have received this error before. It was either a configuration in my Index template settings or resources.

As for

I assume you trying to limit the amount of request below 5000?

@weird-oecophylla to be honest, you have went beyond my scope of knowledge on this issue. Unfortunately I don’t have a setup in my lab to test this out for you but I did noticed something similar to this situation in the forum. Perhaps it might help.

7

I fired up another VM to do some testing to mimic what you have done.
Does this look like familiar?

On Graylog’s API Browser.

https://graylog.domain.com:9000/api/search/universal/relative?query=messages&range=0&decorate=true

Search Query Settings

{
  "query": "messages",
  "built_query": "{\"from\":0,\"size\":150,\"query\":{\"bool\":{\"must\":[{\"query_string\":{\"query\":\"messages\",\"fields\":[],\"type\":\"best_fields\",\"default_operator\":\"or\",\"max_determinized_states\":10000,\"allow_leading_wildcard\":true,\"enable_position_increments\":true,\"fuzziness\":\"AUTO\",\"fuzzy_prefix_length\":0,\"fuzzy_max_expansions\":50,\"phrase_slop\":0,\"escape\":false,\"auto_generate_synonyms_phrase_query\":true,\"fuzzy_transpositions\":true,\"boost\":1.0}}],\"filter\":[{\"bool\":{\"must\":[{\"range\":{\"timestamp\":{\"from\":\"1970-01-01 00:00:00.000\",\"to\":\"2022-05-13 22:33:27.765\",\"include_lower\":true,\"include_upper\":true,\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}}],\"adjust_pure_negative\":true,\"boost\":1.0}},\"sort\":[{\"timestamp\":{\"order\":\"desc\"}}],\"track_total_hits\":2147483647}",

Results

"time": 2967,
  "total_results": 529786,
  "from": "1970-01-01T00:00:00.000Z",
  "to": "2022-05-13T22:33:27.765Z",
  "decoration_stats": null
}

Response header

{"Content-Encoding":"gzip","Content-Type":"application/json","Transfer-Encoding":"chunked","X-Graylog-Node-Id":"8e947fe4-fe2a-48a3-9f2c-786652326c9a","X-Runtime-Microseconds":"3106510"}
8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.