Nagios Support Forum

Hello:

I really like the new log server version but have found something strange. It seems that the exports I do don't match what is reported as available to export. For example, one query had 178 hits. I configured the pagination to show me all of the items on one screen and then exported to CSV. The resulting CSV only has 67 lines. So it appears that 111 items were not exported. Is there something I am missing?

Thanks!

Hello, @CameronWP. Can you try exporting some other queries to CVS, would there also be some missing entries? Can you show us the query? Also, did it say "178 available for paging"?

Hi:

My query is simply looking for event id 4624 for a particular user over a particular time frame. I have attempted the export for different time frames and have the same issue each time.

Thanks!

i don't have an NLS instance online so i won't be much help, but... what is the query you're running specifically? it may help to reproduce this issue.

Thanks for the reply. Here is the query:

"name": "Dickey",
"raw": "{\"query\":{\"filtered\":{\"query\":{\"bool\":{\"should\":[{\"query_string\":{\"query\":\"*dickey*\"}}]}},\"filter\":{\"bool\":{\"must\":[{\"range\":{\"@timestamp\":{\"from\":1491069131192,\"to\":1506793931192}}},{\"fquery\":{\"query\":{\"query_string\":{\"query\":\"EventID:(4624)\"}},\"_cache\":true}}]}}}}}",
"services": "{\"query\":{\"list\":{\"0\":{\"query\":\"*dickey*\",\"alias\":\"\",\"color\":\"#4D89F9\",\"id\":0,\"pin\":false,\"type\":\"lucene\",\"enable\":true}},\"ids\":[0]},\"filter\":{\"list\":{\"0\":{\"from\":\"2017-04-01T17:52:11.192Z\",\"to\":\"2017-09-30T17:52:11.192Z\",\"type\":\"time\",\"field\":\"@timestamp\",\"mandate\":\"must\",\"active\":true,\"alias\":\"\",\"id\":0},\"1\":{\"type\":\"field\",\"field\":\"EventID\",\"query\":\"4624\",\"mandate\":\"must\",\"active\":true,\"alias\":\"\",\"id\":1}},\"ids\":[0,1]}}",
"created_by": "naguser",
"created_id": "1",
"show_everyone": 0,
"imported": 0
}

What is the memory limit set to in /etc/php.ini?

The default is only 128 and this can cause issues with not getting full reports or exports. Find the line and change it to:

memory_limit = 1028M

and restart the httpd service:

service httpd restart

I was running at 512m and upgraded it to 1024m. I tried the export again and get 2015 records.

I checked the logs and found:

rejected execution (queue capacity 1000) on org.elasticsearch.search.action.SearchServiceTransportAction$23@2f1d7b5e

I am wondering if that is part of the issue?

@CameronWP, Please open the elasticsearch.yml file: And add this line to the end of the file: And after that please restart the elasticsearch with: I also recommend increasing the ram and the CPU for this VM. Seems like a lot of these problems are the result of resource insufficiency, or the query is too long.

Alternatively, nlsexport handles large/complex queries a bit more gracefully without fiddling with ElasticSearch internals.

Just my opinion: Having taken a peek at the code behind the native CSV export functionality, I'd say this should be a bug report. A vanilla _search request is not a very safe way to handle queries of arbitrary size and complexity.

There's a very good reason the ElasticSearch search queue size is capped: It leaves room for write operations. Exhausting your thread pool with a large search seems like it could potentially introduce write failures.

npolovenko wrote: I also recommend increasing the ram and the CPU for this VM. Seems like a lot of these problems are the result of resource insufficiency, or the query is too long.

While @mcapra is correct, I want to emphasize the above as well.