Search Trouble

[GoogleCodeExporter]

From the Web UI, I can search for "1" and see a specific record, for which the 
program field is something like: "%cdp-3-updown".

My problem (maybe I am going about it the wrong way) is that I can search for 
the keyword 'up' or 'down' but never 'updown' or 'up +down'. The first two 
searches return results however the last two returns nothing.

How can I troubleshoot this problem?

Thanks.

Original issue reported on code.google.com by D00050...@dmail.dixie.edu on 5 Mar 2012 at 11:52

[GoogleCodeExporter]

The program field is stored as a single keyword, so you cannot search for 
individual parts of the word.  Also, if the program word had been part of the 
message, "updown" would not be searchable either in that form because hyphens 
count as "letters" for the purposes of making up entire keywords.  So do 
periods, underscores and at signs.

Original comment by mchol...@gmail.com on 6 Mar 2012 at 2:39

• Changed state: Done
• Added labels: Type-Other
• Removed labels: Type-Defect

[GoogleCodeExporter]

That makes sense. So, if my program field pulls up like this from on of the 
records of the aforementioned search: program=%cdp-4-duplex_mismatch to find 
other records that have the same program content, would the search look like 
this: "program=%cdp-4-duplex_mismatch" or "%cdp-4-duplex_mismatch". Neither 
pulls any records; however the first gives this error: 

Errors: index 
perm_155,perm_156,perm_157,perm_158,perm_159,perm_160,perm_161,perm_162,perm_163
,perm_164,perm_165,perm_166,perm_167,perm_168,perm_169,perm_170,perm_171,perm_17
2,perm_173,perm_174,perm_175,perm_176,perm_177,perm_178,perm_179,perm_180,perm_1
81,perm_182,perm_183,perm_184,perm_185,perm_186,perm_187,perm_188,perm_189: 
fullscan requires extern docinfo

and the second just pulls 0 records. Am I thinking ELSA should be doing 
something other than it was designed or do I need to troubleshoot my install?

Thanks.

Original comment by D00050...@dmail.dixie.edu on 6 Mar 2012 at 6:05

[GoogleCodeExporter]

You are experiencing the temp index limit.  See the docs under: 
http://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#In
dex_Configuration .

Original comment by mchol...@gmail.com on 6 Mar 2012 at 6:58

[GoogleCodeExporter]

When doing the process mentioned in the above link, I come up with more errors. 
Manly that I cannot seem to run this: "perl /usr/local/elsa/node/elsa.pl -c 
/etc/elsa_node.conf -on" command successfully after running this command: "mv 
/etc/elsa_node.conf /etc/elsa_node.conf.bak". 

If I do not rename the elsa_node.conf file, then I get this error: 

Sphinx 2.1.0-id64-dev (r3119)
Copyright (c) 2001-2012, Andrew Aksyonoff
Copyright (c) 2008-2012, Sphinx Technologies Inc (http://sphinxsearch.com)

FATAL: no readable config file (looked in /usr/local/sphinx/etc/sphinx.conf, 
./sphinx.conf)

When running this command: "/usr/local/sphinx/bin/indexer --rotate --all".

What am I doing incorrectly?

Thank you.

Original comment by D00050...@dmail.dixie.edu on 6 Mar 2012 at 9:37

[GoogleCodeExporter]

Sorry, I had a type-oh in the documentation, that should've been:
mv /usr/local/etc/sphinx.conf /usr/local/etc/sphinx.conf.bak

Original comment by mchol...@gmail.com on 6 Mar 2012 at 10:06

[GoogleCodeExporter]

Ok, when re-doing the operation I get the same error. How can I tell where it 
went wrong? 

Thanks!

Original comment by D00050...@dmail.dixie.edu on 6 Mar 2012 at 11:36

[GoogleCodeExporter]

Sorry, need to clarify that the system says I have a sphinx conf file 
"sphinx1.conf"

$ sudo perl /usr/local/elsa/node/elsa.pl -c /etc/elsa_node.conf -on
Wrote new config to file /usr/local/etc/sphinx1.conf
Running once
$ sh: turning off NDELAY mode
sudo service searchd stop
Stopping searchd
$ 

Thanks again.

Original comment by D00050...@dmail.dixie.edu on 6 Mar 2012 at 11:50

[GoogleCodeExporter]

First off, I want to say that doing all temp indexes is not recommended unless 
you have an enormous amount of RAM and not that many logs.  If you go this 
route, keep a sharp eye on your memory utilization.

Searchd should run from /usr/local/etc/sphinx.conf.  If you somehow got 
sphinx1.conf, you need to rename it to sphinx.conf.  I suspect that you changed 
the name in the config file.  Then, continue with the directions and re-run the 
indexing:
sudo /usr/local/sphinx/bin/indexer --rotate --all --config 
/usr/local/etc/sphinx.conf
sudo service searchd start

After that, you should be good to start syslog-ng.

Original comment by mchol...@gmail.com on 7 Mar 2012 at 1:52

[GoogleCodeExporter]

Yes, that is what I did and I have it working again. However, I still
cannot create a search that will pull up only those programs I want. The
search method seems to me "broken" because of my miss-unsderstanding of how
it is supposed to work.

How can I search for a specific program?

Thanks.

On Tue, Mar 6, 2012 at 6:52 PM, <
enterprise-log-search-and-archive@googlecode.com> wrote:

Original comment by D00050...@dmail.dixie.edu on 7 Mar 2012 at 5:56

[GoogleCodeExporter]

Ah, found a bug when the program contains the "%" symbol.  I have a fix for 
this and will be committing that to the codebase soon.

Original comment by mchol...@gmail.com on 7 Mar 2012 at 7:22

• Changed state: Started
• Added labels: Type-Defect
• Removed labels: Type-Other

[GoogleCodeExporter]

How can I get the fix for this? Is there an update process or do I have to 
re-install?

Thank you for working with me through this trouble!

Original comment by D00050...@dmail.dixie.edu on 8 Mar 2012 at 8:07

[GoogleCodeExporter]

This should be fixed in the latest commit.  You can update by running sh 
install.sh web update.

Original comment by mchol...@gmail.com on 8 Mar 2012 at 8:36

[GoogleCodeExporter]

Ok, that update allowed me to search just as you described.

Thank you.

Original comment by D00050...@dmail.dixie.edu on 20 Mar 2012 at 11:03

[GoogleCodeExporter]

Original comment by mchol...@gmail.com on 21 Mar 2012 at 3:50

• Changed state: Fixed