hello, I am interested in graylog and want to know if graylog can meet my needs. unfortunately I always get this error message (screeshot in link below)when trying to create Quick Value, Generate Chart and more on the message fields.
I tried it on a nginx requests stream that came with a virtual appliance.
I’ve been looking for a solution on google but unfortunately have not got it.
thank you for any help.
Any errors in the log files of Graylog or Elasticsearch?
hi zionio, thanks for the suggestion.
as the link says, i have enabled message “UI analysis disabled for fields” as well. but the error still appears.
hi jtkarvo,
this the error log from graylog
cat /var/log/graylog/server/current | grep ERROR
2018-01-11_15:22:16.44599 ERROR [NettyTransport] Error in Input [Syslog UDP/5a578127b5e33105caf1b9aa] (channel [id: 0x24591f7c, /0:0:0:0:0:0:0:0:514])
2018-01-11_15:22:18.66928 ERROR [LookupDataAdapter] Couldn’t start data adapter spamhaus-drop/5a578129b5e33105caf1b9ed/@46debff5
2018-01-11_15:22:18.67725 ERROR [LookupDataAdapter] Couldn’t start data adapter abuse-ch-ransomware-domains/5a578129b5e33105caf1b9e4/@6927067a
2018-01-11_15:22:38.51322 ERROR [InputLauncher] The [org.graylog2.inputs.syslog.udp.SyslogUDPInput] input with ID <5a578127b5e33105caf1b9aa> misfired. Reason: Address already in use.
2018-01-11_15:22:38.58216 ERROR [graylog-eventbus] Exception thrown by subscriber method inputStateChanged(org.graylog2.plugin.events.inputs.IOStateChangedEvent) on subscriber org.graylog2.inputs.InputStateListener@7b5c9412 when dispatching event: IOStateChangedEvent{oldState=STARTING, newState=FAILED, changedState=InputState{stoppable=SyslogUDPInput{title=appliance-syslog-udp, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a25c0ba2-ca9c-4f18-97b7-2b4214375dfe}, state=FAILED, startedAt=2018-01-11T15:22:38.425Z, detailedMessage=‘null’}}
and this one
cat /var/log/graylog/server/current | grep WARN
2018-01-11_15:22:06.78644 WARN [NodeChecker] Removing host http ://192.168.2.140:9200
2018-01-11_15:22:11.65070 WARN [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2018-01-11_15:22:11.71318 WARN [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2018-01-11_15:22:12.80067 WARN [DeadEventLoggingListener] Received unhandled event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus <AsyncEventBus{graylog-eventbus}>
2018-01-11_15:22:16.38702 WARN [NettyTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=appliance-gelf-udp, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} should be 1048576 but is 212992.
2018-01-11_15:22:16.67320 WARN [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=appliance-syslog-udp, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a25c0ba2-ca9c-4f18-97b7-2b4214375dfe} should be 262144 but is 212992.
2018-01-11_15:22:17.36759 WARN [NettyTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=appliance-gelf-udp, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=a25c0ba2-ca9c-4f18-97b7-2b4214375dfe} should be 1048576 but is 212992.
2018-01-11_15:22:18.62365 WARN [OTXDataAdapter] OTX API key is missing. Make sure to add the key to allow higher request limits.
2018-01-11_15:22:18.67458 WARN [OTXDataAdapter] OTX API key is missing. Make sure to add the key to allow higher request limits.
2018-01-11_15:25:15.07560 WARN [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=appliance-syslog-udp, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a25c0ba2-ca9c-4f18-97b7-2b4214375dfe} should be 262144 but is 212992.
but i dont see any warning or error in elasticsearch log.
UPDATE :
I got this error when opening a link containing errors directly in the browser
Unable to perform terms query\n\nFielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
Hello, all. I solved this problem by using an extractor. whether this is the right step or not but with this i can adding message to dashboard.
could you please inform me how to do this?
also isn’t there any hope to activate the quick values for messages?
Just check - for example “System > Configurations” in your Graylog setup …
i found the below error message from browser which may clarify the problem facnig me:
{“message”:“Unable to perform terms query\n\nFielddata is disabled on text fields by default. Set fielddata=true on [source] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.”,“details”:[“Fielddata is disabled on text fields by default. Set fielddata=true on [source] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.”]}
how can i enable the metioned term as this may solve the issue?
you should read the elasticsearch documentation on that:
i did bu it’s really to hard to get the needed steps clearly as i’m not an expert also it seems there’s no clear text file to edit in the server; so i’ve to change in a DB or somthing like that!
could you please summaries to me the actual steps in a simple form?
you should not change the details if you did not get it yourself.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
