API Query Issues

[Envera IT]

Thank you, I've sent those over as PM's.

[cdienger]

Thanks for the data but it still isn't clear to me exactly what query is being run. Please provide a profile from the XI system as well as the name of the service that generated the graphs and I should be able to figure it out. The profile can be generated under Admin > System Config > System Profile > Download Profile, or from the command line with:

Code: Select all

/usr/local/nagiosxi/scripts/components/getprofile.sh 59886

The profile is then saved to /usr/local/nagiosxi/var/components/profile.zip.

[Envera IT]

I sent the profile and explained which query was being run in PM.

FYI I'm out next week but will check in here from time to time.

[cdienger]

Thanks for the data. I can confirm I have it and hope to dig into it more first thing tomorrow.

[Envera IT]

Just checking in, any updates?

[ssax]

I have reached out to @cdienger on this and will update you with the status (he won't be back in until the morning), if you don't hear from me by midday tomorrow, please reply to the post again so that it pops up on our dashboards.

Thank you!

[Envera IT]

I have reached out to @cdienger on this and will update you with the status (he won't be back in until the morning), if you don't hear from me by midday tomorrow, please reply to the post again so that it pops up on our dashboards.

Thank you!

Just following up again, hate to be that guy.

[cdienger]

No worries. I hate to be that guy to continue to ask for more data, but here I go...

I've labbed this up and think the issue has to do with the lookback not being handled properly so that it isn't able to see all the old data when the indexes are rolled over to the next day. To verify this I'd like to get a couple more pieces of data.

A few minutes before the index rolls over, manually run the check from XI command line while at the same time run a tcpdump on the NLS machine. Then wait a few minutes for the index to roll over and a couple minutes after the index is created, again manually run the check from the XI command line as well as another tcpdump taken on the NLS machine.

Please provide the results of running the commands and the output of the tcpdump.

The tcpdumps can be taken with this command:

Code: Select all

tcpdump -s 0 -i any port 9200 or host w.x.y.z -w filename.pcap

where w.x.y.z is the IP of the XI system. Be sure to give the file names unique names as well so I can distinguish when they were run.

[Envera IT]

No worries. I hate to be that guy to continue to ask for more data, but here I go...

I've labbed this up and think the issue has to do with the lookback not being handled properly so that it isn't able to see all the old data when the indexes are rolled over to the next day. To verify this I'd like to get a couple more pieces of data.

A few minutes before the index rolls over, manually run the check from XI command line while at the same time run a tcpdump on the NLS machine. Then wait a few minutes for the index to roll over and a couple minutes after the index is created, again manually run the check from the XI command line as well as another tcpdump taken on the NLS machine.

Please provide the results of running the commands and the output of the tcpdump.

The tcpdumps can be taken with this command:

Code: Select all

tcpdump -s 0 -i any port 9200 or host w.x.y.z -w filename.pcap

where w.x.y.z is the IP of the XI system. Be sure to give the file names unique names as well so I can distinguish when they were run.

Just to make sure, these are the tcpdump commands I'll run tonight.

tcpdump -s 0 -i any port 9200 or host 10.0.1.161 -w beforerollover.pcap

tcpdump -s 0 -i any port 9200 or host 10.0.1.161 -w afterrollover.pcap

For the NagiosXI commandline I've tested that and it works so good to go on that one.

Thanks! I'll follow up tonight or tomorrow morning with what I find.

[Envera IT]

I've sent the pcaps over via PM.