Configure index.max_result_window

Hi,

I would like present graylog results in Microsoft Power BI.
For that; I need a larger max_result_window than the default.
I tried change the setting to elasticsearch.yml but with the new version of Elasticsearch it’s forbidden.

I found this topics;:


It seems that we need to work with graylog template…but I’m not an expert…so I a little bit lost.

Can someone help me please ?

Hi, I followed this post which worked for me. https://stackoverflow.com/questions/35206409/elasticsearch-2-1-result-window-is-too-large-index-max-result-window - essentially
curl -XPUT “http://[server]:9200/_settings” -d ‘{ “index” : { “max_result_window” : 50000 } }’

Hello,

Thanks for the reply.
I run:
curl -XPUT ‘http://xx.xx.xx.x:9200/_settings’ -d ‘{ “index” : { “max_result_window” : 5000000 } }’ ==> {“acknowledged”:true}

So…from REST API browser / Search/Relative : Message search ; I put my request : query: 307 ; range: 2592000 ; Limit : 5000000.

==> Response Body:

Internal Server Error

Reason

java.lang.OutOfMemoryError: Java heap space


Too more results ?
For information; when I run this search in the Web interface, I have got :
“186,219 messages in 48 ms, searched in 3 indices”

the result does not fit into the Heap - e.g. you can’t query that much at once.

Hello Jan,

Thanks for the answer.

What can you advise me?

I put the context:
Graylog is used to log and count all print job of print servers.
We would like use Power BI to visualise and analyse all print logs from Graylog.
Requests from Power BI by API work; but on a small time slot.
Requests for month gives me the previous error.

I read “Scroll” or “Search After” can maybe help me.
Do you know this API ?
Have you already use them ?

yes, Graylog use them.

Did you query the Graylog API or the Elasticsearch API?

I use the Graylog REST API browser:
http://x.x.x.x:9000/api/search/universal/relative?query=307&range=3600&limit=5000000&decorate=true

How Can I use the Elasticsearch API ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.