No results on search page

Hi Graylog community,

I’ve installed and configured Graylog 3.0.2 and have messages being sent to a GELF UDP input.

The messages are being accepted and inserted into Elasticsearch. There are no errors in the Graylog server log and I can see the messages using Kibana. Actually, I used Kibana to help me troubleshoot the timestamp field I’m sending to the GELF UDP input. Initially, I was sending messages using local time, but now I have the timestamp being sent in UTC. I can see messages in Kibana as soon as they’re sent and Kibana adjusts the timestamp correctly to local time.

However, I still don’t see any messages on the search page. I’ve tried adjusting the time period to “All messages”, but still no results. I’ve done this logged in as the admin (root) user. I have the root user’s timezone set to EST currently and have also tried UTC, but still no results. I’ve also waited a day to make sure the message timestamps aren’t in the future and being filtered.

The really interesting thing though is, I can send the query myself to Elasticsearch on port 9200 using the query data from the “Elasticsearch query” link on the page and get results. So I don’t know why this is returning 0 results on the search page. I’ve also tried entering a search term that I know is in the message content and that doesn’t work either. If I try this same search term in Kibana, I get results.

If anyone has any ideas on what I should look at or try so I can get search results, I’d really appreciate it. I don’t know what to look at next.

Thanks

Well, I have an interesting update. I can see search results now. They’re beautiful!

I haven’t changed any configuration, Graylog or otherwise. But I did notice that the index rolled over. The active write index changed from graylog_0 to graylog_1 (I have 2 indices now).

The only other thing I can think of is, before I fixed the timestamp and started sending messages with timestamps in UTC, I manually deleted docs from the graylog_0 index via the Elasticsearch API. I don’t know if this could explain why I wasn’t seeing search results. My guess is that once the index rolled over and the active write index changed to graylog_1, that’s when things started working.

Also, another page that’s working now that wasn’t before is the Source page. It wasn’t showing a list of message sources, but just like the Search page, it’s working now too.

Thanks

he @natej

actually you had only to to the 'recalculate index range` in system > indices - because Graylog wasn’t aware of the data in elasticsearch.

such happens and the fix is easy as you see. The same happens automatically on index rotate that is why you see them now.

Ah, yes, thanks for that. I’ll definitely remember that for next time.

Thanks for your help.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.