Graylog search query

Graylog Central (peer support)
1

Nothing found

Your search returned no results, try changing the used time range or the search query. Do you want more details? [Show the Elasticsearch query].

Please note that we already have ES version 6 running in dev and we’ve successfully integrated Graylog to Elasticsearch.

But for some reasons unknown to us, when we create a dashboard and query, i.e., counts, we get nothing from our search.

30%20PM
Screen Shot 2019-01-22 at 2.02.30 PM.png3076×216 18.6 KB

Graylog version 2.5
Elasticsearch version 6
MongoDB version 3.6

All thoughts and suggestions are welcome! Thanks in advance.

2

How did you ingest logs to Graylog?

3

set define time range instead of relative.
Wrong time set can cause something like that.

4

I’m using Syslog UDP and GELF TCP inputs.

Error logs

    2019-01-22 22:12:12,351 WARN    [Reflections] - could not get type for name org.graylog.plugins.collector.configurations.rest.models.CollectorOutput from any class loader - {}
org.reflections.ReflectionsException: could not get type for name org.graylog.plugins.collector.configurations.rest.models.CollectorOutput
	at org.reflections.ReflectionUtils.forName(ReflectionUtils.java:390) [graylog.jar:?]
	at org.reflections.Reflections.expandSuperTypes(Reflections.java:381) [graylog.jar:?]
	at org.reflections.Reflections.<init>(Reflections.java:126) [graylog.jar:?]
	at org.reflections.Reflections.<init>(Reflections.java:168) [graylog.jar:?]
	at org.graylog2.shared.rest.documentation.generator.Generator.<init>(Generator.java:99) [graylog.jar:?]
	at org.graylog2.shared.rest.resources.documentation.DocumentationResource.<init>(DocumentationResource.java:77) [graylog.jar:?]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [?:1.8.0_181]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) [?:1.8.0_181]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [?:1.8.0_181]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) [?:1.8.0_181]
	at org.glassfish.hk2.utilities.reflection.ReflectionHelper.makeMe(ReflectionHelper.java:1375) [graylog.jar:?]
	at org.jvnet.hk2.internal.ClazzCreator.createMe(ClazzCreator.java:272) [graylog.jar:?]
	at org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:366) [graylog.jar:?]
	at org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487) [graylog.jar:?]
	at org.glassfish.jersey.process.internal.RequestScope.findOrCreate(RequestScope.java:162) [graylog.jar:?]
	at org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2022) [graylog.jar:?]
	at org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:774) [graylog.jar:?]
	at org.jvnet.hk2.internal.ServiceLocatorImpl.internalGetService(ServiceLocatorImpl.java:737) [graylog.jar:?]
	at org.jvnet.hk2.internal.ServiceLocatorImpl.getService(ServiceLocatorImpl.java:707) [graylog.jar:?]
	at org.glassfish.jersey.internal.inject.Injections.getOrCreate(Injections.java:172) [graylog.jar:?]
	at org.glassfish.jersey.server.model.MethodHandler$ClassBasedMethodHandler.getInstance(MethodHandler.java:284) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.PushMethodHandlerRouter.apply(PushMethodHandlerRouter.java:74) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.RoutingStage._apply(RoutingStage.java:109) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.RoutingStage._apply(RoutingStage.java:112) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.RoutingStage._apply(RoutingStage.java:112) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.RoutingStage._apply(RoutingStage.java:112) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.RoutingStage.apply(RoutingStage.java:92) [graylog.jar:?]
	at org.glassfish.jersey.server.internal.routing.RoutingStage.apply(RoutingStage.java:61) [graylog.jar:?]
	at org.glassfish.jersey.process.internal.Stages.process(Stages.java:197) [graylog.jar:?]
	at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:318) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
	at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
	at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
	at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
	at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
Caused by: java.lang.ClassNotFoundException: org.graylog.plugins.collector.configurations.rest.models.CollectorOutput
	at java.net.URLClassLoader.findClass(URLClassLoader.java:382) ~[?:1.8.0_181]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_181]
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) ~[?:1.8.0_181]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_181]
	at org.reflections.ReflectionUtils.forName(ReflectionUtils.java:388) ~[graylog.jar:?]
5

Did you checked that all your plugins are compatible to your current Graylog version?

Did you tried “System > indices > {INDEX NAME} > Maintenance > recalculate index range” ?

6

I’ve tried to recalculate index range and recalculate active write index in maintenance mode, and the issue persists.

Each time I attempt to run a query, I get the below for a brief seconds before it disappears

44%20PM
Screen Shot 2019-01-23 at 2.38.44 PM.png1026×324 205 KB

Index Set: Default index set

58%20PM
Screen Shot 2019-01-23 at 1.41.58 PM.png1492×260 25.6 KB

48%20PM
Screen Shot 2019-01-23 at 1.36.48 PM.png2354×650 111 KB

41%20PM
Screen Shot 2019-01-23 at 1.37.41 PM.png2284×644 98.4 KB

50%20PM
Screen Shot 2019-01-23 at 1.38.50 PM.png2324×624 101 KB

Testing Index Set

Note the one I created

31%20PM
Screen Shot 2019-01-23 at 1.43.31 PM.png1506×242 24.3 KB

35%20PM
Screen Shot 2019-01-23 at 1.44.35 PM.png2334×740 110 KB

Lists of plugins

  plugins:
     - name: graylog-plugin-slack-3.0.0.jar
       url: https://github.com/graylog-labs/graylog-plugin-slack/releases/download/3.0.0/graylog-plugin-slack-3.0.0.jar
     - name: graylog-plugin-function-check-diff-1.0.0.jar
       url: https://github.com/omise/graylog-plugin-function-check-diff/releases/download/1.0.0/graylog-plugin-function-check-diff-1.0.0.jar
     - name: graylog-plugin-custom-alert-condition-1.0.0.jar
       url: https://github.com/omise/graylog-plugin-custom-alert-condition/releases/download/v1.0.0/graylog-plugin-custom-alert-condition-1.0.0.jar
     - name: graylog-plugin-auth-sso-2.5.0.jar
       url: https://github.com/Graylog2/graylog-plugin-auth-sso/releases/download/2.5.0/graylog-plugin-auth-sso-2.5.0.jar
     - name: graylog-plugin-internal-logs-2.4.0.jar
       url: https://github.com/graylog-labs/graylog-plugin-internal-logs/releases/download/2.4.0/graylog-plugin-internal-logs-2.4.0.jar

Thanks a lot in advance @jan

7

did you notice that you only have messages in the index graylog_1 that are between 9 and 6 days old?

no other index holds data - no index can return any results, only when the time is selected to the time the one index holds data.

1 Like
8

Yes, I’m aware of graylog_1 however, for whatever reasons @jan data wouldn’t populate into the dashboard. Getting visibility would be ultimate for those indexes.

9

your search time need to be for the time when your Graylog has data (between 9 and 6 days in the past when you created the screenshots) then you will have something to display.

But currently you have nothing to display in the default 5 minute period.

1 Like
10

@jan thanks for the clarification. I’ll give it another go upon getting pass this new GRAYLOG_SERVER_JAVA_OPTS issue.

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.