search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.4k stars 1.07k forks source link

Custom search for aggregation shows empty field list #16549

Open juliohm1978 opened 1 year ago

juliohm1978 commented 1 year ago

Expected Behavior

Expected behavior is to have all search fields available to create aggregation tables.

image

Current Behavior

The field list in the custom search to create aggregation tables does not show any fields.

image

Possible Solution

As a workaround, I can rotate the indices and the fields will come back to that list.

Steps to Reproduce (for bugs)

Not sure how to reproduce this, since it randomly happens in our production environment. Lab and Staging environments with a smaller index database do not have this behavior.

Your Environment

juliohm1978 commented 1 year ago

Just adding more detail to this. We noticed that Graylog acquires the field list from the Graylog API:

https://GRAYLOG_SERVER/api/views/fields

image

It sends a POST request to the API endpoint and a json response with the field list is expected.

Oddly enough, we can talk to this endpoint using GET requests and the field list is available.

curl -v -X GET -u admin:(REDACTED) -H "Accept: application/json" -H "X-Requested-By: XMLHttpRequest"  https://GRAYLOG_SERVER/api/views/fields
[{"name":"labels_heritage","type":{"type":"string","properties":  ....

But using the POST request method, returns an empty response:

curl -v -X POST -u admin:(REDACTED) -H "Accept: application/json" -H "X-Requested-By: XMLHttpRequest"  https://GRAYLOG_SERVER/api/views/fields
dennisoelkers commented 1 year ago

Hey @juliohm1978,

thanks a lot for reporting this and already digging into it, much appreciated!

I think the POST request does not return a response, because it requires a request object in its body (containing a streams and a timerange property), so that might be a red herring. Can you see anything in your browser's JS console when your fields sidebar is empty? Do you see anything in your Graylog server log?

juliohm1978 commented 1 year ago

Hi @dennisoelkers

No errors in the browser JS console, and no log messages in the container output either. Such a silent buzz kill :laughing:

Once the indices are rotated, that POST request to /api/views/fields works again. But it soon stops working and starts returning empty responses.

juliohm1978 commented 1 year ago

After upgrading to Graylog 5.1.5, the problem is no longer reproducible. Will reopen if we experience it again.

Thank you!

juliohm1978 commented 1 year ago

I'm reopening the issue because of its intermittent nature. Recently, it reappeared.

We are able to work around it by restarting the graylog server.

janheise commented 3 months ago

@dennisoelkers would you mind checking if your changes in June'24 are also supposed to address this bug before I start investigating again? see https://github.com/Graylog2/graylog2-server/blame/51742ed4653635b2dd94ab2bb4930551f335d70b/graylog2-server/src/main/java/org/graylog/plugins/views/search/rest/FieldTypesResource.java#L85