I only got stared and imported my very first log file using plain TCP. Now searching for any string (here “cache”) will just return empty result- no rows matched:
According to docs that should match the entire string but apparently doesn’t?
Docker logs do not show error on the graylog container.
Can you give a full example message (using the forum tools </> to make it look nice… and making sure its properly obfuscated if need be…) Did you try searching for other words like TRACE or vehicleOdometer ?
The message is really just plain text:
[cache ] TRACE 2022/02/14 13:46:19 lp-1/vehicleOdometer: 0
I was going to add a regex extractor to get the area (cache) to filter by that. When area: cache didn’t return a search result I’ve tried just cache or vehicle as search term. Always with the same result- empty.
Another fun fact: v or e return the above message. ve does return empty?!
Try putting quotes around the word you are searching for. “cache”
not sure about the v vs. ve thing -
Whatever I search for, with or without quotes, single characters match (case insensitive), anything longer doesn’t.
For what it’s worth: I’m running the docker-compose stack from the docs.
hmmm… Can you post your server.conf
cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
Making sure it’s obfuscated properly…
I’m only testing it and have not created a graylog.conf. This is the containers config minus passwords:
graylog:
image: "graylog/graylog:4.2"
depends_on:
elasticsearch:
condition: "service_started"
mongodb:
condition: "service_started"
entrypoint: "/usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh"
environment:
GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
GRAYLOG_ELASTICSEARCH_HOSTS: "http://elasticsearch:9200"
GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
ports:
- "5044:5044/tcp" # Beats
- "5140:5140/udp" # Syslog
- "5140:5140/tcp" # Syslog
- "5555:5555/tcp" # RAW TCP
- "5555:5555/udp" # RAW TCP
- "9000:9000/tcp" # Server API
- "12201:12201/tcp" # GELF TCP
- "12201:12201/udp" # GELF UDP
#- "10000:10000/tcp" # Custom TCP port
#- "10000:10000/udp" # Custom UDP port
- "13301:13301/tcp" # Forwarder data
- "13302:13302/tcp" # Forwarder config
volumes:
- "graylog_data:/usr/share/graylog/data/data"
- "graylog_journal:/usr/share/graylog/data/journal"
restart: "on-failure"
I have not worked with the docker version at all. 
Perhaps double check your whole setup? Search shouldn’t be broken like that… you can try making it a regex search like: /cache/ but that is not solving the issue.
I do notice you have a red warning dot on your console, what does that resolve out to be? Do you see anything in the Graylog logs when you search - or even in general?
tail -f /var/log/graylog-server/server.log
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.