we’re running Graylog 2.4.5 and have noticed that the search system doesn’t get any results older than about the last 2 hours.
using the keyword ‘last month’ shows the exact same results as relative > ‘…last 2 hours’ when we know we should be seeing more messages.
indicies are 4 shards, 2000000 docs per index. all 4 shards have data in them including the oldest ‘Contains messages from 6 months ago up to 3 months ago (2.7GB / 2,000,007 messages)’ so i know the data is there. We run about 50msgs/min as we currently only monitor AD auditing and mailflow, results about 40mb/day so the indicies configuration can handle a number of months before being age dropped and killed off.
shards in this set are named graylog_6 to graylog_3, with 6 being the most recent and has active write index running on it.
what i have found weird is that when you run a search, the results state ‘Indices used for this search:2_0, graylog_6’.
I will admit i’m fairly new to graylog and it’s been fairly faultless up to now. I’m not sure when search broke for us but did definitely work fine when we used one single large shard. we moved to multiple shards a month or 2 ago thinking it will aid disk consumption more easily.
thanks for any help