graylog2-web-interface icon indicating copy to clipboard operation
graylog2-web-interface copied to clipboard

Published 20 hours ago verified publisher icon graylog-labs

"up to in" index label

Open csm opened this issue 9 years ago • 8 comments

We have indices rotating every couple of hours, and we see the message next to each index name say "Contains messages up to in timeframe". I'm not sure what that's trying to say, but the "up to in" sounds wrong to me.

graylog-indices

csm avatar Mar 19 '15 23:03 csm

Hi,

Which Graylog version do you use? In 1.0 the index list loads in reverse order and it shows "up to", e.g. "Contains messages up to 22 days ago", so I assume you use an outdated version and I'm therefore closing the issue.

Graylog rotates the indices when the condition you set in the configuration is fulfilled, and those messages are trying to tell you the time of the last message that index contain.

Please refer to the mailing list or the IRC channel for further questions.

edmundoa avatar Mar 20 '15 09:03 edmundoa

I looked at the times in the screenshot again and I was wrong regarding the indices order, I should probably drink some coffee :)

I think this issue is related to incorrect timestamps on your log messages, or a wrong time configuration in Graylog. We expect that all messages are in the past from the current moment, but in most of your indices the last message is "after" the current time, so the message is incoherent. You can see how the messages for graylog2_44 and graylog2_43 are correct.

edmundoa avatar Mar 20 '15 09:03 edmundoa

It wouldn't surprise me if timestamps were not all correct, because log messages may have been delayed before being added to graylog indices.

What I was pointing out is that I didn't think "up to in timeframe" instead of "up to timeframe" was grammatically correct.

csm avatar Mar 20 '15 19:03 csm

Oh, I see. I'll reopen the ticket and see what we can write there instead.

edmundoa avatar Mar 23 '15 09:03 edmundoa

"Up to 2 days in the future" would be grammatically correct but it still sounds strange. The actual problem is that either the time calculation is wrong or that the indices contain messages from the future (i. e. wrong timezone).

joschi avatar Mar 23 '15 09:03 joschi

FWIW, it's definitely possible that timestamps are in the past or future, since the data source here is a fairly messy collection of client-side logs.

csm avatar Mar 23 '15 20:03 csm

I have same issue, mine say "Contains message from 7 months ago up to in 2 months ...". Assuming the incoming log time stamp got messed up, how can I look and verify at the those messages in elasticsearch db ?

tjyang avatar Oct 11 '16 18:10 tjyang

@tjyang You can simply select these messages in Graylog using the absolute time range by setting the end timestamp into the future (try 2 or 3 months).

If you would like to discuss this further, please post this issue to our public mailing list or join the #graylog channel on freenode IRC.

Thank you!

joschi avatar Oct 11 '16 20:10 joschi