Max_result_window increase Graylog 4.0.5+d95b909

Graylog Central (peer support)
1

Hello.
An error appears when I going to page 67.
What can be done in this case?
Type of error:
While retrieving data for this widget, the following error(s) occurred:

  • Elasticsearch exception [type=illegal_argument_exception, reason=Result window is too large, from + size must be less than or equal to: [10000] but was [10050]. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the [index.max_result_window] index level setting.].
    Version: Graylog 4.0.5+d95b909
    Thank You for attention.
    Regards, Nusultan
2

Hi @Tomcat7
you can try to increase the value to this setting like:

curl -XPUT "http://localhost:9200/my_index/_settings" -d '{ "index" : { "max_result_window" : 50000 } }' -H "Content-Type: application/json"
3

@Tomcat7

What @reimlima stated should do the trick but be careful about deep paging.

1 Like
4

Hello @Reimlima
I tried to enter command, but I received an error: “{“error”:{“root_cause”:[{“type”:“index_not_found_exception”,“reason”:“no such index [my_index]”,“resource.type”:“index_or_alias”,“resource.id”:“my_index”,“index_uuid”:“na”,“index”:“my_index”}],“type”:“index_not_found_exception”,“reason”:“no such index [my_index]”,“resource.type”:“index_or_alias”,“resource.id”:“my_index”,“index_uuid”:“na”,“index”:“my_index”},“status”:404}[root@srv ~]#”

1 Like
5

Also found this issue:

graylog: Set max_result_window to 10000000 on graylog template by paladox · Pull Request #1678 · miraheze/puppet · GitHub But I don’t understand how to fix this problem.

1 Like
6

Hi @Tomcat7

Sorry, that command was just an example.

You need to change “my_index” to the real index name, which must be something like “graylog_#”

Where “#” is the number of your index, this number changes after every rotation, you need to take a look in your Graylog UI to know which is.

7

Hello @Reimlima
I was unable to find the index in the Graylog UI. Why do I need to specify port 9200?
I usually log into the Graylog via browser (http://10.1.1.214:9000)
Thank You for attention.
Regards, Nursultan.

8

I’m so sorry for my “facepalm” questions

9

Hi,

I’m so sorry for my “facepalm” questions

Not a problem at all! There’s no “facepalm question”, not asking when you’re in doubt that deserves “facepalm”

The changes I’m sugesting you to do need to be done directly in elasticsearch, that’s why “port 9200”, it’s the port normally elasticsearch listen to.

You can run a simillar “curl” command to list all your indexes, could be an alternative to Graylog UI.

1 Like
10

Hello @Reimlima
And yet, I could not find the index.
“Curl” command can’t list indexes.

11

Hi,

can you feed me with more informations? Like:

  • The curl command you’re running
  • The error it shows you.
12

Hello @Reimlima
I entered command and got an error
Commands:

  1. curl -X GET “localhost:9200/_cat/indices/my-index-*?v=true&s=index&pretty”
  2. GET /_cat/indices/my-index-?v=true&s=index
    Error:
    [root@srv ~]# GET /_cat/indices/my-index-    ?v=true&s=index
    [1] 16825
    -bash: GET: command not found
    [root@srv ~]# curl -X GET "localhost:9200/_cat/indices/my-index-?v=true&s=index&pretty"
    health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
    [1]+ Exit 127 GET /_cat/indices/my-index-    ?v=true
13

Hi @Tomcat7

Pleas, run the command this way and paste the output here:

curl -s -XGET "localhost:9200/_cat/indices"
14

The command works great.
Output:
green open gl-events_1 UI_OHJpTQQi708dv56dlZg 4 0 0 0 832b 832b
green open gl-events_0 8JfheYc4SG6Dev1-8Qy87A 4 0 0 0 832b 832b
green open graylog_0 St9y1SncQqecG4HcmC4d0Q 4 0 14392069 0 2.5gb 2.5gb
green open gl-system-events_0 yEIPXzaHTQCftb4N9hoxIQ 4 0 0 0 832b 832b
green open gl-system-events_1 AZb2QZV6R2a9AZ8xxr2kvA 4 0 0 0 832b 832b

15

Also entered:
curl -XPUT “localhost:9200/graylog_0/_settings” -d ‘{ “index” : { “max_result_window” : 50000 } }’ -H “Content-Type: application/json”
Output: no errors
At the moment I can go to page 67,68,69 etc
Thank You very much @Reimlima.
It works very well.

1 Like
16

@Tomcat7
Glad to hear that, just for notice, the index you’re looking for is:

Updating my first reply, the command in your end would be like that:

curl -XPUT "http://localhost:9200/graylog_0/_settings" -d '{ "index" : { "max_result_window" : 50000 } }' -H "Content-Type: application/json"
1 Like
17

Entered the command and system accepted. Works very well)))
Thank You very much
Regards, Nursultan.

1 Like
18

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.