Page 1 of 1
Problem searching for logs in a time span > 200 days
Posted: Tue Sep 19, 2017 2:08 am
by li_alm
Hello,
Selecting a time interval larger than 200 days (using the timepicker) does not produce any results in the dashboard.
E.g.: [03 March 2017 - today (19 September 2017)] produces output, while [02 march 2017 - today] does not
E.g.: [13 January 2017 - 01 August 2017] produces output, while [12 january 2017 - 01 august 2017] does not
Is this a known issue?
Is there a solution?
Thank you.
Regards,
Liviu
Re: Problem searching for logs in a time span > 200 days
Posted: Tue Sep 19, 2017 12:10 pm
by dwasswa
Hi
@li_alm,
There different factors that could be causing this issue.
It depends on how your data is being distributed...
How many nodes?
How many instances?
Also most importantly this could be something to do with Disk (more disk means better performance /efficiency) because time span of > 200 days worth of logs is a lot of data even for read.
You also have to consider the CPU load.
Therefore this goes back to Disk,CPU load,how much data you have,how much you is stored a day and how its distributed...
Re: Problem searching for logs in a time span > 200 days
Posted: Thu Sep 21, 2017 7:01 am
by li_alm
Hello,
I have 1 nagios running on a virtual machine (1 node, 1 instance), but it is not relevant. I do not think resources are the problem.
The search just seems to be ignored - it's not like it takes time to process.
Everything works fine when the time span is <= 199 days.
Is 200 days a magic number somewhere in the elasticsearch/logstash/kibana settings?
Thanks.
Regards,
Liviu
Re: Problem searching for logs in a time span > 200 days
Posted: Thu Sep 21, 2017 11:10 am
by hsmith
How long are you keeping indices open for on the settings page?
Re: Problem searching for logs in a time span > 200 days
Posted: Thu Sep 21, 2017 11:39 am
by scottwilkerson
hsmith wrote:How long are you keeping indices open for on the settings page?
This was what I was thinking as well, it's possible you are reaching back much further than you have indexes open
Re: Problem searching for logs in a time span > 200 days
Posted: Fri Sep 22, 2017 1:43 am
by li_alm
Could you, please, give me more details on where shoud I look?
(unfortunately, I do not understand what do you actually mean by "settings page")
Thank you.
Liviu
Re: Problem searching for logs in a time span > 200 days
Posted: Fri Sep 22, 2017 8:40 am
by scottwilkerson
In Administration -> Backup & Maintenance there are settings to close/delete the indexes after xx number of days. If the indexes are closed/deleted they cannot be queried.
You can also look at Administration -> Index Status to see what your oldest index is.
Re: Problem searching for logs in a time span > 200 days
Posted: Fri Sep 22, 2017 9:55 am
by li_alm
Backup & Maintainance
Close indexes older than: 0 days
Delete indexes older than: 0 days
Oldest index: 28.03.2017
I should be able to select the time interval 01.01.2017 - today and get all the logs (of course, the output will begin with 28.03.2017), but I am unable to do that.
I can only go back 199 days.
Thank you.
Liviu
Re: Problem searching for logs in a time span > 200 days
Posted: Fri Sep 22, 2017 10:15 am
by scottwilkerson
Hmm, I dug into this a bit more, and I am seeing the same result as you are.
I am going to file a bug report to have the developers take a look at this.