Greetings. Forgive me if this has been covered before, but I did my best with search terms and didn’t find a relevant topic.
I am using Graylog 2.4.6+ceaa7e4 on RHEL7 and java 1.8.0_171, with Elasticsearch 5.6.9. If I search within a particular string, the results will show results from all streams that contain the matching record. For example, if I search for “humongous,” it will show me 3 identical entries, one for the stream I am searching in, and the other 2 for other streams where that same message resides. Looking at the “Stored in index” value for each of the 3 messages confirms this.
If I then go to More actions -> Show query, I do indeed see this:
I can add that criteria to my search, and it still will show me duplicates when the same message exists in different streams.
Is this expected behavior? I think I am seeing this for all cases where one message hits multiple streams, so it’s consistent. If it’s expected, is there a way to turn that off? Or is there a search string which can dedup the output? I’d really like for a search within a stream to only show messages within indexes that stream is tied to.
Thanks for any help.