Graylog Custom Views Problem

All,
I’m not sure what’s going on with Graylog’s custom Views Section but when I select the drop down to select a stream the search should include. It does not show all the messages from that stream.
For example, I have a stream called “Veeam License Expiring”, below are all the messages within that stream.

Now When I navigate to Views > Create New, select “Search last 5 days” then select “Veeam License Expiring” it shows only one message.

My Environment:
CentOS 7 Latest Version
Graylog 3.1.1+b39ee32
Elasticsearch-6.6.1-1.noarch
Mongodb-org-4.2.0

Any advice, Ideas or direction would be appreciated.
Thank you in advance.

you should update your Graylog the views are a heavy changing part of Graylog as we adjust and fix issues left and right on every release.

@jan
Just updated Graylog today to Graylog 3.1.3+cda805f .
What I noticed today was it removed yesterday message and applied today message in Views. Still only show one message. Other then that everything else seeam to work fine.
NOTE: We have the test Notification button back Awesome :smile:

image

@jan after upgrading Graylog server, some of the custom views are still not showing all messages in the stream. As for now I have a work around I’m using which is instead on using selected stream the search should include. I’m using the rule/s from that stream “Field EventID must match exactly 24040”.
Here is the stream Called “Veeam License Expiring” and the messages within it from 7 Days ago.

This is the Custom Views with that stream added for search.

This is my work around for now.

Since some custom views do not have a problem and some do, I was think maybe it was something I configured wrong. Trying to find out what might have gone wrong, I’ve been matching different streams configurations and tail’ing log files from elasticsearch and Graylog. No erors are shown yet.

He @gsmith

I can’t notice a general problem here cause I did not notice that also and I can’t reproduce that in my lab. I’ll forward this here to some developers but I can’t guarantee for anything.

@jan
I do apperciate that, thank you.
There is something strange on my Views section, not sure though but this problem seems to be related to only my streams I have pipelines attached (i.e. route_to_stream). I have just basic streams for users failed to logon/logoff that have no pipelines and all the messages are shown on Views.

This is my pipeline rules for the stream “Veeam License Expiring”.

rule " License Expiring "
when
((to_string($message.EventID) == “24040”))
then
set_field(“license_trigger”, true);
end

Rule “Route License to Stream”
when
has_field(field:“license_trigger”)
then
route_to_stream(id:“5db243bc83d72e04d3d960a2”);
end