Log entries not in correct order because of identical timestamp

Smarties · June 13, 2024, 2:33pm

Hello,
at the moment i am trying to migrate to graylog from very basic textfiles where i am currently logging my agents.
The problem is that i am used to having all my log entries in order and since my agents are quite fast at logging there are multiple log entries for the same timestamp.
Since graylog uses the timestamp to order my messages, the messages that have the same timestamp will now be shown in random order which is confusing.

Here are the log messages in graylog search:

I am currently on Graylog version: 5.0.2

I have tried to come up with a solution to this problem but since i am new to graylog i could not think of a valid solution that would help me

I would like to know how other people deal with this problem or if it just is not a problem to them and they dont care

Smarties · June 13, 2024, 2:34pm

Here are the messages in my textfile:

(Could not have two images in my post since i am new)

joe.gross · June 13, 2024, 9:57pm

Well, your logs all list the same timestamp. That’s what Graylog gets.

I will look into it and report back.

joe.gross · June 13, 2024, 11:40pm

OK. I’ve got some good news.

There are two possible problems here. First, the agent you are using may be collecting these messages then delivering them in a different order than that in the original file. If that’s the case, there’s not much Graylog can do for you, because that’s the order in which they are arriving.

However, if the agent is delivering them in the same order they are read, the trouble may lie in Graylog itself. At least your version of Graylog.

In version 5.1, we fixed the exact issue you are experiencing by adding a ULID for each message received. This allows for sorting by ULID, even when the timestamps are identical.

You need only to upgrade and it will be resolved. That is, provided your agent is delivering them as read.

github.com/Graylog2/graylog2-server

Make messages with identical timestamps sortable by ULID

Graylog2:master ← Graylog2:ulid-sorted-messages

opened 05:28PM - 03 Nov 19 UTC

mpfz0r

+809 -353

The ULID format in the `gl2_message_id` field is composed of a 48 bit timestamp …followed by 80 bits of randomness. Use the first 16 bits of the random field to embed a sequence number for each message. If a batch of messages was received with identical timestamps (the same millisecond), the original receive order is kept by the encoded sequence number which directly follows the timestamp. This allows us to sort messages by `gl2_message_id` which should have the correct original order in most cases. ## CAVEATS This is a best effort approach to a complicated problem. It's not a silver bullet. Here are reasons why the `gl2_message_id` sort order might not always be correct: - The sequence number is generated per node and input. This means that sorting will not work if an input is load balanced over multiple nodes. - There is only space for `60535` messages with the same timestamp and input. - Also, there is a small chance that, if too many batches of messages with the same timestamp and input get processed in parallel, the sort order might be wrong. ## Performance Impact Running a benchmark, which ingests 8 million messages. Four parallel curl loops send batches of `5000` messages with identical timestamps. Without this change, this takes `3m 19s` With this change: `3m 25s` Which means approx 40k msg/sec and no measurable performance impact. Fixes #2741

Smarties · June 14, 2024, 2:30pm

Thank you for the quick reply

I will try and update Graylog in the next few days to check the solution but this should fix my problem

system · June 28, 2024, 2:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Messages with imprecise timestamp get into wrong order Graylog Central (peer support)	3	878	October 4, 2019
Export to CSV function in Graylog does not respect order Graylog Central (peer support)	8	4997	June 7, 2018
Wrong order whit ms Graylog Central (peer support)	5	661	August 25, 2019
Sort message table by custom field Graylog Central (peer support)	2	1083	May 5, 2020
Timestamps not lining up Graylog Central (peer support) time-stamp-issuespl	4	795	October 6, 2023

Log entries not in correct order because of identical timestamp

Related topics