Search in Graylog 3.0

Graylog Central (peer support)
1

I’ve updated to Graylog 3.0
For far everything work OK.
But when I start searches several scenarios do not work any more:

Search with wildcards
Search: *0305

Error Message:
Unable to perform search query Failed to parse query [*0305]

Details:
* `Failed to parse query [*0305]`

Search status code:
500

Search response:
cannot GET http://xxxx:9000/api/search/universal/relative?query=%2A0305&range=300&limit=150&sort=timestamp%3Adesc (500)

Search in other fields
e.g. from Lookup tables

Field: location is “Test Rengglochsstrasse”

In the old version a search with Rengglochsstrasse found the message.
Now all following seraches are not getting results:

  • Rengglochsstrasse
  • location:Rengglochsstrasse

Only full text finds results:

  • Test Rengglochsstrasse
1 Like
2

You may have to set the allow_leading_wildcard_searches setting to true in your server.conf - if you installed a new package and overwrote your existing configuration it’s set to false by default.

For the Rengglochstrasse only being found using full text, I’ve got no ideas :frowning:

3

Thank you!
Changing to allow_leading_wildcard_searches = True helped.

For search with ‘Rengglochstrasse’
I double checked on previous version. In version 2.4 messages where found with search keyword ‘Rengglochstrasse’.

Query:
Search

Result:

Result
Result.jpg1402×773 77.1 KB

How can I configure graylog 3.0 to behave same?

1 Like
4

It could be more of an Elasticsearch issue since Graylog just passes a built query to Elasticsearch, so I’d take a look there, if possible - other than that, no ideas unfortunately :frowning:

2 Likes
5

works fine for me on graylog 3.0 and I did not change any search configuration so far. Which version of elasticsearch are you using?

just do:
curl -XGET ‘localhost:9200’
to see your version number

6

you are right - the search is passed over to elasticsearch.

@MKramis did you updated ES?

7

Here the responese for curl -XGET ‘localhost:9200’

{
  "name" : "HITWRL3",
  "cluster_name" : "graylog",
  "cluster_uuid" : "5XgjgrmxSieD8S2GGjvnVQ",
  "version" : {
    "number" : "6.6.0",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "a9861f4",
    "build_date" : "2019-01-24T11:27:09.439740Z",
    "build_snapshot" : false,
    "lucene_version" : "7.6.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

I used 3.0 OVA image and imported old MongoDB database tables from prev. 2.4 installation.

8

What elasticsearch version did you used in the previous setup?

9

On 2.4 I used this elasticsearch version

{
“name” : “JfhY4lB”,
“cluster_name” : “graylog”,
“cluster_uuid” : “ET1RBr0vQhStG6jAJpBP6g”,
“version” : {
“number” : “5.6.3”,
“build_hash” : “1a2f265”,
“build_date” : “2017-10-06T20:33:39.012Z”,
“build_snapshot” : false,
“lucene_version” : “6.6.1”
},
“tagline” : “You Know, for Search”
}

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.