Hi Marty, this looks kind of odd, indeed. That error should've been fixed in Graylog2 0.91.1.
Could you please try to run a manual index cycle (System -> Indices in the web interface) and then use the Elasticsearch timestamp fixup tool (see http://www.graylog2.org/news/post/0006-two-new-graylog2-releases for details) on your Graylog2 indices? Sometimes, if the index wasn't cycled and the mapping hasn't been regenerated, the timestamps are still stored in the wrong format (exactly like you've described it). Cheers, Jochen On Friday, 5 December 2014 01:23:53 UTC+1, Marty wrote: > > Hi Jochen, > > A previous correspondence said : > Subject: GELF Output option issue for message stream > - We will fix that one in the Graylog2 0.92.x version line. Another > bugfix release for Graylog2 0.90.x and 0.91.x is currently not planned. > > So all my GELF forwarding testing is from Graylog2 0.92.0. Graylog2 > receiver just happened to be a 0.91.3 (all non-production servers) > > So digging deeper, just wondering why I only see in Elasticsearch and not > in the Graylog UI (0.91.3), maybe because of the *'timestamp*' at the > receiving GL2, it's 'morphed'. See below, the sending message (as shown > from elasticsearch) to the receiving elasticsearch. > > Also the 'full_message' on output is only the 'message', so detail is > removed. Perhaps its the precision timestamp, causing the issue. > > These are just Rsyslog messages, using the Graylog2 template ( > GRAYLOGRFC5424) > > Hostnames have removed, from examples - HOST > > *Sending Node: GL2 0.92.0 / ES 1.4.1 [GELF TCP /12201]* > > $ curl -XGET ' > http://localhost:9200/graylog2_deflector/_search?q=_id:460d9ef0-7b52-11e4-baaa-005056a6608f&pretty > ' > { > "took" : 14, > "timed_out" : false, > "_shards" : { > "total" : 1, > "successful" : 1, > "failed" : 0 > }, > "hits" : { > "total" : 1, > "max_score" : 1.0, > "hits" : [ { > "_index" : "graylog2_0", > "_type" : "message", > "_id" : "460d9ef0-7b52-11e4-baaa-005056a6608f", > "_score" : 1.0, > > "_source":{"application_name":"CROND","gl2_source_node":"7116a2ca-a48c-4319-91d9-d15d8e7e4ba4","full_message":"<78>0 > > 2014-12-04T12:10:02.078627+11:00 HOST CROND 6078 (root) CMD > (/usr/lib64/sa/sa1 1 1)",*"timestamp":"2014-12-04 01:10:02.078"*,"message":" > (root) CMD (/usr/lib64/sa/sa1 1 > 1)\n","level":6,"process_id":"6078","_id":"460d9ef0-7b52-11e4-baaa-005056a6608f","facility":"clock","source":"HOST","gl2_source_input":"54742bf0e4b0a45edc5d890c","streams":["544db9f4e4b0ea0d9b00cb1c"]} > } ] > } > } > > *Receiving Node: GL2 0.91.1 / ES 1.3.4 [GELF TCP/12201]* > > I added a static field on Input "gelf_out_test":"gl2" > > $ curl -XGET ' > http://localhost:9200/graylog2_deflector/_search?q=id:460d9ef0-7b52-11e4-baaa-005056a6608f&pretty > ' > { > "took" : 1, > "timed_out" : false, > "_shards" : { > "total" : 1, > "successful" : 1, > "failed" : 0 > }, > "hits" : { > "total" : 1, > "max_score" : 12.366719, > "hits" : [ { > "_index" : "graylog2_5", > "_type" : "message", > "_id" : "4612a800-7b52-11e4-9f04-005056a61b64", > "_score" : 12.366719, > > "_source":{"gelf_out_test":"gl2","application_name":"CROND","gl2_source_node":"36a66731-b525-4973-a713-d6749c07ad13","full_message":"(root) > > CMD (/usr/lib64/sa/sa1 1 > 1)","version":"1.1","id":"460d9ef0-7b52-11e4-baaa-005056a6608f",*"timestamp":"46893-09-16 > > 15:14:38.000"*,"message":" (root) CMD (/usr/lib64/sa/sa1 1 > 1)\n","process_id":"6078","level":6,"facility":"clock","_id":"4612a800-7b52-11e4-9f04-005056a61b64","source":"HOST","gl2_source_input":"547fa41fe4b009c113677ab5","streams":[],"forwarder":"org.graylog2.outputs.GelfOutput"} > } ] > } > } > > Cheers, > Marty > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
