1. Describe your incident:
I’m reading JSON logs from a file using nxlog and sending them via GELF to graylog. The message field could look like this:
Getting authentication state user_uuid=1983dd8e-1a87-4220-9ae9-a1231c64c034
Performing searches on Graylog sometimes doesn’t return the expected result, so for example if I search
getting the aforementioned log line appears, but if I search
@message:"user_uuid=1983dd8e-1a87-4220-9ae9-a1231c64c034" or anything that should match the token, nothing appears in the results.
Moreover, if I search exactly the whole string, with
@message:"Getting authentication state user_uuid=1980dd8e-1a87-4220-9ae9-a1239c64c0c4" for some reason it works. Changing a single character from that and say, replacing it with a
? makes the search fail again.
I’ve researched this problem, there’s no error log in graylog or elasticsearch, there’s apparently no configuration I can change. My hypothesis is that long tokens are not indexed.
2. Describe your environment:
Graylog 4, 5 in Docker. elasticsearch-oss:7.10.2
3. What steps have you already taken to try and solve the problem?
4. How can the community help?
If anybody has any insight on why this happens, how to trace the problem (trace logs don’t seem to do much) or why it happens, it’d be extremely helpful, otherwise graylog has little to no value for my use case.
Thanks a lot