When I hit “Export as CSV” then I right click the Download link and hit “Save Link As” - this is what Graylog instructs you to do.
The download starts in my browser (I use Chrome) and then a second later it says “Failed - Network Error”. I’ve tried Firefox and IE as well.
At the same time graylog-server.log shows “2019-06-05T15:24:54.386-04:00 WARN [SearchResource] [759019c147fc9f34ff7bd13bcb32b9a7] Could not close chunked output stream for query scroll.”
This happens if I try to export 1 day of data, or 100 days. Any suggestions how to troubleshoot this?
you might want to lower the time and check if it works if you use only a 5 minutes …
It does play a role how much data you try to export in this way, a little more inside is possible if you check your elasticsearch log.
I guess that the output is generating something like out-of-memory error or similar.
Thanks Jan, your input is always appreciated. Some notes:
7 days (6814 messages) exports okay, the file size is 437KB.
14 days (13946 messages) exports okay - but takes really long, it seems to send in 400KB chunks - as I watch chrome download chunk by chunk. 1580KB in total. There has to be a better way!
30 days (29610 messages) causes Chrome to say “Failed - Network error”.
Graylog-server.log shows “Could not close chunked output stream for query scroll” and Elastic-search.log shows nothing.
Note this machine is fairly powerful with 64GB of ram, only 13GB of it is being used. I am running Graylog v2.4 with Elastic Search v2.3 (we have plans to upgrade both soon but can’t rush it just to solve this current issue).
Is it possible everyone has this same CSV export problem - but it is so very rarely used so nobody is reporting the issue? Can anyone confirm they are able to export 30,000+ records to CSV?
These queries are such small amounts of data as far as I am concerned. There is not much point collecting all these logs if we can’t properly access them when they are needed.
Jan, any suggestions on how to proceed? Are there any settings I can tweak? Maybe Elastic search has a debug mode that will log more information? Any suggestions are welcomed!
you run a quite old ES Version - I do not have that Version with data so I can’t check if that might be some issue with that version.
My advice would be to make at least the move to the latest 2.x version … Because that combination of Graylog and Elasticsearch is something we did not test.
Before the move to the HTTP Client to Elasticsearch we had this table to Elasticsearch Versions that work with Graylog:
