Hi Matthieu, it looks like the "timestamp" field in your Elasticsearch indices is broken or at least one message with a broken timestamp is in those indices.
Please post the output of the following commands (run against one of your Elasticsearch nodes): curl 'http://localhost:9200/graylog_*/_mapping?size=100&pretty=true' curl 'http://localhost:9200/graylog_*/message/_search?search_type=count&size=100&pretty=true' -d '{ "aggregations": { "min": { "min": { "field": "timestamp" } }, "max": { "max": { "field": "timestamp" } } } }' curl 'http://localhost:9200/graylog_*/message/_search?size=1&pretty=true' -d '{ "sort" : [ {"timestamp" : { "order" : "asc" } } ] }' curl 'http://localhost:9200/graylog_*/message/_search?size=1&pretty=true' -d '{ "sort" : [ {"timestamp" : { "order" : "desc" } } ] }' Cheers, Jochen On Saturday, 5 December 2015 20:22:04 UTC+1, Mathieu Grzybek wrote: > > I upgraded to version 1.2.2 and the problem was solved during a few weeks > but appeared again. > I figured out that I need to recalculate the index time ranges to get the > job done, then it fails again. A query's details show that the wrong > indexes are used : > > { > "query": "tags:\"foo, bar\"", > "built_query": > "{\"from\":0,\"size\":150,\"query\":{\"filtered\":{\"query\":{\"query_string\":{\"query\":\"tags:\\\"foo, > > bar\\\"\",\"allow_leading_wildcard\":false}},\"filter\":{\"bool\":{\"must\":{\"range\":{\"timestamp\":{\"from\":\"*2015-11-30 > 13:25:53.307*\",\"to\":\"*2015-11-30 > 14:25:53.307*\",\"include_lower\":true,\"include_upper\":true}}}}}}},\"sort\":[{\"timestamp\":{\"order\":\"desc\"}}]}", > "used_indices": [ > { > "index_name": "graylog_68", > "begin": "*2015-10-13T04:49:10.000Z*", > "end": "*45785588-04-17T16:01:23.968Z*", > "calculated_at": "2015-11-27T16:49:39.020Z", > "took_ms": 549 > }, > { > "index_name": "graylog_39", > "begin": "*2015-09-20T04:25:09.000Z*", > "end": "*47647-07-06T20:25:12.000Z*", > "calculated_at": "2015-11-27T16:51:24.225Z", > "took_ms": 1183 > }, > { > "index_name": "graylog_59", > "begin": "*2015-10-13T04:42:01.000Z*", > "end": "*4580087-11-01T15:58:31.008Z*", > "calculated_at": "2015-11-27T16:50:50.092Z", > "took_ms": 353 > }, > { > "index_name": "graylog_63", > "begin": "*2015-10-11T04:25:15.000Z*", > "end": "*47647-07-27T04:17:25.000Z*", > "calculated_at": "2015-11-27T16:50:50.713Z", > "took_ms": 586 > } > ], > "messages": [], > "fields": [], > "time": 6, > "total_results": 0, > "from": "*2015-11-30T13:25:53.314Z*", > "to": "*2015-11-30T14:25:53.315Z*" > } > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/de45d4af-7607-43e7-8552-fabcd1142675%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
