Hi Matthieu, you can clearly see in query_2.json and query_4.json that there's a log message with a broken timestamp (or rather veeery far in the future). The mappings for the "timestamp" field from query_1.json look good.
If you don't want to keep the message with the broken timestamp, you can remove it with the Elasticsearch Delete API (https://www.elastic.co/guide/en/elasticsearch/reference/1.7/docs-delete.html). Example: $ curl -XDELETE 'http://localhost:9200/graylog_68/message/ 2cf4e8b1-72f5-11e5-8f76-005056b775ee' Make sure to reopen that index first, so that it can be modified. Cheers, Jochen On Monday, 7 December 2015 14:30:38 UTC+1, Mathieu Grzybek wrote: > > Hi Jochen, > > Here are the attached results. > > Mathieu > Le 7 déc. 2015 11:21 AM, Jochen Schalanda a écrit : > >> Hi Matthieu, >> >> it looks like the "timestamp" field in your Elasticsearch indices is >> broken or at least one message with a broken timestamp is in those indices. >> >> Please post the output of the following commands (run against one of your >> Elasticsearch nodes): >> >> curl 'http://localhost:9200/graylog_*/_mapping?size=100&pretty=true' >> >> curl ' >> http://localhost:9200/graylog_*/message/_search?search_type=count&size=100&pretty=true' >> >> -d '{ >> "aggregations": { >> "min": { >> "min": { >> "field": "timestamp" >> } >> }, >> "max": { >> "max": { >> "field": "timestamp" >> } >> } >> } >> }' >> >> curl 'http://localhost:9200/graylog_*/message/_search?size=1&pretty=true' >> -d '{ "sort" : [ {"timestamp" : { "order" : "asc" } } ] }' >> >> curl 'http://localhost:9200/graylog_*/message/_search?size=1&pretty=true' >> -d '{ "sort" : [ {"timestamp" : { "order" : "desc" } } ] }' >> >> >> >> Cheers, >> Jochen >> >> On Saturday, 5 December 2015 20:22:04 UTC+1, Mathieu Grzybek wrote: >>> >>> I upgraded to version 1.2.2 and the problem was solved during a few >>> weeks but appeared again. >>> I figured out that I need to recalculate the index time ranges to get >>> the job done, then it fails again. A query's details show that the wrong >>> indexes are used : >>> >>> { >>> "query": "tags:\"foo, bar\"", >>> "built_query": >>> "{\"from\":0,\"size\":150,\"query\":{\"filtered\":{\"query\":{\"query_string\":{\"query\":\"tags:\\\"foo, >>> >>> bar\\\"\",\"allow_leading_wildcard\":false}},\"filter\":{\"bool\":{\"must\":{\"range\":{\"timestamp\":{\"from\":\"*2015-11-30 >>> 13:25:53.307*\",\"to\":\"*2015-11-30 >>> 14:25:53.307*\",\"include_lower\":true,\"include_upper\":true}}}}}}},\"sort\":[{\"timestamp\":{\"order\":\"desc\"}}]}", >>> "used_indices": [ >>> { >>> "index_name": "graylog_68", >>> "begin": "*2015-10-13T04:49:10.000Z*", >>> "end": "*45785588-04-17T16:01:23.968Z*", >>> "calculated_at": "2015-11-27T16:49:39.020Z", >>> "took_ms": 549 >>> }, >>> { >>> "index_name": "graylog_39", >>> "begin": "*2015-09-20T04:25:09.000Z*", >>> "end": "*47647-07-06T20:25:12.000Z*", >>> "calculated_at": "2015-11-27T16:51:24.225Z", >>> "took_ms": 1183 >>> }, >>> { >>> "index_name": "graylog_59", >>> "begin": "*2015-10-13T04:42:01.000Z*", >>> "end": "*4580087-11-01T15:58:31.008Z*", >>> "calculated_at": "2015-11-27T16:50:50.092Z", >>> "took_ms": 353 >>> }, >>> { >>> "index_name": "graylog_63", >>> "begin": "*2015-10-11T04:25:15.000Z*", >>> "end": "*47647-07-27T04:17:25.000Z*", >>> "calculated_at": "2015-11-27T16:50:50.713Z", >>> "took_ms": 586 >>> } >>> ], >>> "messages": [], >>> "fields": [], >>> "time": 6, >>> "total_results": 0, >>> "from": "*2015-11-30T13:25:53.314Z*", >>> "to": "*2015-11-30T14:25:53.315Z*" >>> } >>> >>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/44ae6a84-305c-4ce4-b26e-7618fbeb28c2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
