we are running Graylog on Version 3.2.4 on multiple nodes. Our Problem is that the WebInterface hang if I want to aggregate Filter Results on Alert Event Definitions.
Just Filtering is fine but if I click Aggregate the Page stuck. Tried this in Chrome, Firefox and Safari all with cleared cache.
Aggregation in Search results works fine.
In Chrome I also startet the TaskManager and the Tab CPU Usage exploded to 100% for it.
No Error in graylog or elasticsearch logs and no Error in Browser debug console. The only is That Firefox want to cancle the page and always stop at naturalSort.js file.
Maybe I found the Problem… The Problem ist on Sorting the Message keys - in our Elasticsearch are thounds of crypted key.
The Syslog Input automatically parses incomming message and seems to parse them by = - The Problem depends on Message with url and parameters url=/path/to/api?id=12345&z=csiwew - The Syslog parsed the URL parameters to key-value pairs in the Elasticsearch Object. And now this message will contains session keys as parameter key…
In the Aggregate section of the Alert Definitions this key are sorted using NaturalSort function on client side javascript - This will takes a very long time - and the browser hangs here.
I tried to change the input from syslog to plain message and copy the Extractors - I have to wait that the old messages are dropped from ES…
