All,
I’m not sure what’s going on with Graylog’s custom Views Section but when I select the drop down to select a stream the search should include. It does not show all the messages from that stream.
For example, I have a stream called “Veeam License Expiring”, below are all the messages within that stream.
@jan
Just updated Graylog today to Graylog 3.1.3+cda805f .
What I noticed today was it removed yesterday message and applied today message in Views. Still only show one message. Other then that everything else seeam to work fine.
NOTE: We have the test Notification button back Awesome
@jan after upgrading Graylog server, some of the custom views are still not showing all messages in the stream. As for now I have a work around I’m using which is instead on using selected stream the search should include. I’m using the rule/s from that stream “Field EventID must match exactly 24040”.
Here is the stream Called “Veeam License Expiring” and the messages within it from 7 Days ago.
Since some custom views do not have a problem and some do, I was think maybe it was something I configured wrong. Trying to find out what might have gone wrong, I’ve been matching different streams configurations and tail’ing log files from elasticsearch and Graylog. No erors are shown yet.
I can’t notice a general problem here cause I did not notice that also and I can’t reproduce that in my lab. I’ll forward this here to some developers but I can’t guarantee for anything.
@jan
I do apperciate that, thank you.
There is something strange on my Views section, not sure though but this problem seems to be related to only my streams I have pipelines attached (i.e. route_to_stream). I have just basic streams for users failed to logon/logoff that have no pipelines and all the messages are shown on Views.
This is my pipeline rules for the stream “Veeam License Expiring”.
rule " License Expiring "
when
((to_string($message.EventID) == “24040”))
then
set_field(“license_trigger”, true);
end
Rule “Route License to Stream”
when
has_field(field:“license_trigger”)
then
route_to_stream(id:“5db243bc83d72e04d3d960a2”);
end
@jan
I’m not sure if this is related to my Views but when I configure Event Definition I only see one message. I wanted to see the past 3 days of message in Filter & Aggregation section. My Alert did not go off for that stream either. I set it for equal or greater than 11 count >= 11 messages.
I did a query for All message on the stream “Veeam License Expiring” but only shows one in Filter Preview when I should at least have 5-11 messages shown.
But if I select a different stream that did not have a pipeline on or attached to it like “Linux user Logon” stream I recieve the correct amount messages not just one.
I dont understand why it only effected that stream with the pipeline attached. Even after removing pipelines its still the same. What im going to do is delete the stream and any pipeline attached. Then remake my stream without a pipeline see if I get the same results.
