Graylog server version 4.3.5. Recently upgraded from 4.2 making note of config changes in the changelog.
Today I added a grok extractor on one of my inputs. It was in place and doing what it is supposed to do. Then when I went to add another, my first seems to have disappeared.
“Maybe I didn’t save properly from a tab” I thought to myself. So I added my second extractor. That extractor is also working properly.
Go back to the extractors page. Neither is present.
I re-add under different names, and now the original two show up again. If I navigate away, however, now the new extractor has also disappeared from the list.
Of note is that despite not showing up in the extractor list (unless I add another extractor, but then all new extractors disappear again when navigating away from the page), the extractors continue to function, pulling the fields that I need.
I’ve tried stopping and restarting both graylog-server and mongod and still have the problem. I have no idea what is going on here.
I tried incognito, and also a different browser. I also used my phone, and used different login accounts. The problem persists with all of these things. It certainly doesn’t look to be browser related.
Sort and Export options also do not show the new extractors.
What else could this be on the server end? Today I may try the kludge to get the full display, export, delete everything, then import. If that doesn’t work, I guess downgrade to 4.2.9 (again).
Nothing in the logs is standing out. Earlier today I created a random extractor for a different stream, and that one seems to be OK. I noticed that the stream for the disappearing extractors were not shared with anybody, so I made it everyone/view, then re-created the extractor. The problem persists.
I was adding the extractors to the wrong input. Graylog was figuring out the correct one and placinig my extractors there. Hence the reason I would see them immediately and then they would ‘disappear’. Graylog was showing me the place that I actually placed the extractors, and I just now realized the title for that page was different.
Thanks all for looking into this with me! Sometimes it just takes a few different sets of eyes before I have my aha! moment.
It did not even occur to me that my vpn stuff (the thing I was writing the extractor for) was on the firewall input, not my general rsyslog input. What made it not obvious is the list extractors on both are nearly identical. I will rename the extractors for the firewall input to give me those cues going forward.
