Could not execute search

Hello, Install Graylog v2.3.1 with Elasticsearch v2.3.1 and MongoDB v3.2.17, when I enter the web server and click on “Search” tab, I get the message “Could not execute the search”

Error Message:
Unable to perform search query.
Details:
Search status code:
500
Search response:
cannot GET http://10.X.X.X:9000/api/search/universal/relativequery=%2A&range=300&limit=150&sort=timestamp%3Adesc (500)

In the “Sources” tab, I get:
Input buffer 0.00%
Process buffer 0.00%
Output buffer 0.00%

I have it configured:

/etc/elasticsearch/elasticsearch.yml

network.host: 10.X.X.X
elasticsearch_discovery_zen_ping_multicast_enabled: false
elasticsearch_discovery_zen_ping_unicast_hosts: 10.X.X.X:9200
discovery.zen.ping.multicast.enabled: false
script.inline: false
script.indexed: false
script.file: false
http.max_initial_line_length: 100k
discovery.zen.minimum_master_nodes: 3
index.number_of_shards: 4
index.number_of_replicas: 0

curl -XGET 'http://10.X.X.X:9200/_cluster/health?pretty=true'
{
  "error" : {
    "root_cause" : [ {
      "type" : "master_not_discovered_exception",
      "reason" : null
    } ],
    "type" : "master_not_discovered_exception",
    "reason" : null
  },
  "status" : 503
}

vi /etc/graylog/server/server.conf

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = zcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
root_username = admin
root_password_sha2 = 5d8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
plugin_dir = plugin
rest_listen_uri = http://10.X.X.X:9000/api/
rest_transport_uri = http://10.X.X.X:9000/api/
web_listen_uri = http://10.X.X.X:9000/
elasticsearch_cluster_name = graylog
elasticsearch_cluster_discovery_timeout = 10000
rotation_strategy = count
elasticsearch_max_number_of_indices = 20
elasticsearch_max_docs_per_index = 20000000
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_host = 10.X.X.X:9200
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 100
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 20
outputbuffer_processors = 15
outputbuffer_processor_keep_alive_time = 5000
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://10.X.X.X/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

/etc/syslog-ng/syslog-ng.conf

source s_src {
       system();
       internal();
       unix-stream ("/dev/log");
       udp(ip(0.0.0.0) port(5140));
};
destination d_net { syslog("10.X.X.X" port(5140)); };

vi /etc/rsyslog.conf

# provides UDP syslog reception
$module(load="imudp")
$input(type="imudp" port="5140")
#ModLoad imudp
UDPServerRun 5140
# provides TCP syslog reception
$module(load="imtcp")
$input(type="imtcp" port="5140")
# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on
*.* @10.X.X.X:5140;RSYSLOG_SyslogProtoco123Format
# Filter duplicated messages
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

What’s in the logs of your Graylog and Elasticsearch nodes?

how do I get the records for the Graylog and Elasticsearch nodes

Please refer to http://docs.graylog.org/en/2.3/pages/configuration/file_location.html for the relevant file locations.

Check all locations and found empty in Elasticsearch, the following location: / var / lib / elasticsearch / data
Please inform me that I must place here.

Thank you

/var/lib/elasticsearch/data is the data directory of Elasticsearch, not the location it’s writing logs to.

Okay, but I still have the same problem as before. On the “Search” tab I still get the message “Could not execute the search”, on the “Source” tab does not open anything and when watching “Node c603d9a8 / SYSLOG” still exiting "Input buffer 0.00% “,” Process buffer 0.00% “,” Output buffer 0.00% “and” Utilization 0.00% 93 unprocessed messages are currently in the journal, in 1 segments. "

Without any logs, we can’t help you.

If I had to guess, I’d say that you’re missing the elasticsearch_hosts configuration setting in your Graylog configuration file.

Also see http://docs.graylog.org/en/2.3/pages/upgrade/graylog-2.3.html#graylog-switches-to-elasticsearch-http-client

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.