vlnrajesh
commented
6 years ago I am not sure is there any wrong configuration I made or is this a known issue about trail not getting refreshed automatically or not tailing continously?
Closed vlnrajesh closed 6 years ago
vlnrajesh
commented
6 years ago I am not sure is there any wrong configuration I made or is this a known issue about trail not getting refreshed automatically or not tailing continously?
bdeluca
commented
6 years ago do you have the play button? I only found it when I tried it not on linux.
taintedkernel
commented
6 years ago I am having a similar issue on 5.6.5-0.1.23 and 5.4.3-0.1.17. After the first search, a few refreshes come in with additional data - but nothing more after that.
I've added debugging statements and in the JS console, I see the search requests coming in. But the timestamp in doSearch() is never updated, and thus no new results are being retrieved. From what I can tell in doTail(), the logic with doSearch call with 'gte' and adjustedLastEventTime should work. I can't tell if it's a problem with the plugin, or an issue with the ES cluster I have this hooked up to.
Not sure if it matters, but I'm running Kibana on a local docker image on my notebook and wired to a remote ES cluster in another environment. Prior to this, I built a test v6 ELK stack and loaded with mock data via some Python, and that seemed to function just fine (with live tailing at least).
Any suggestions?
sivasamyk
commented
6 years ago Logtrail live tail works by querying ES for new data GTE to the timestamp of latest event ( the bottom-most event) in the event view. Can you check the timestamp field mapped in logtrail.json. Also check if all events are stored in UTC timezone in ES. Logtrail logs the search query in debug mode. YOu can get the timestamp shown in the debug console, and manually query ES for events GTE the timestamp and check if it returns any documents.
curl -X GET "localhost9200/<index_pattern>/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"range" : {
"timestamp_field" : {
"gte" : <value_of_latest_timestamp_from_debug_console>
}
}
}
}
'I figured out the issue. The problem was that our log rate was too high - the timestamp of the "last event" had the same timestamp as the first one, so on subsequent refreshes the date was never changing. I had to make a patch which just took the current timestamp (rather then depending upon the logs from the previous query) and put that in the arguments, which seemed to resolve the issue.
sivasamyk
commented
6 years ago By default, logtrail fetches 500 events per query. If your log ingestion rate is high, increasing max_buckets from 500 to a larger value should help. It should be more than the max events received between configured tail_interval_in_seconds interval. Say if you receive more 6000 events per min and tail_interval_in_seconds is 10 seconds set max_buckets to 1200.
I have integrated logtrail with ELK 6.3.0 but logs not getting refreshed until, I manually click on search button. Please advise