graylog2-server icon indicating copy to clipboard operation
graylog2-server copied to clipboard
verified publisher icon Graylog2

Default message sorting in search results is not transparent in 5.1 and beyond

Open Joel-Duffield-Graylog opened this issue 1 year ago • 0 comments

As of Graylog 5.1 when you perform a search the default sort order shown is timestamp, however in actuality it is timestamp and then gl2_message_id. This can cause problems is data types are incorrect on the gl2_message_id field, because you will get an error about being unable to run aggregations on the gl2_message_id field, however to the user that field does not appear to be used in any aggregations.

Expected Behavior

Current Behavior

The two major issues are that nothing in the product tells you this is happening, the sort order just says timestamp, and there is absolutely no way to override this behaviour if you wanted to. You can change the sort to another timestamp field, a beats timestamp field for example, but you need to do that every time.

Possible Solution

  • An option to disable this function in server.conf etc, with some sort of appropriate warning message that points you towards this.
  • Using a special brand new sort field as the default called timestamp+message_id, and you could still choose the regular timestamp field as the sort and it would behave like it did pre 5.1.

Steps to Reproduce (for bugs)

  1. change the gl2_message_is field to any data type other than keyword
  2. load the search page

Context

Your Environment

  • Graylog Version: 5.1+

Joel-Duffield-Graylog avatar Feb 21 '24 19:02 Joel-Duffield-Graylog