Compatibility with Graylog's data

pad · March 15, 2017, 12:18pm

Hi,

I’m trying to use the Graylog’s data in ElasticSearch to analyse the data and cross it with others.

But the timestamp isn’t in the correct format and I think that why I have this error :

“SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; shardFailures {[iYywti_LSNKySzszsTnnzA][graylog2_0][0]: SearchParseException[[graylog2_0][0]: from[-1],size[0]: Parse Failure [Failed to parse source [{"size":0,"query":{"bool":{"must":[{"range":{"timestamp":{"gte":"1489558035376","lte":"1489579635376","format":"epoch_millis"}}},{"query_string":{"analyze_wildcard":true,"query":""}}]}},"aggs":{"2":{"date_histogram":{"interval":"10s","field":"timestamp","min_doc_count":0,"extended_bounds":{"min":"1489558035376","max":"1489579635376"},"format":"epoch_millis"},"aggs":{}}}}]]]; nested: IllegalArgumentException[Invalid format: [epoch_millis]: Illegal pattern component: p]; nested: IllegalArgumentException[Illegal pattern component: p]; }{[iYywti_LSNKySzszsTnnzA][graylog2_1][0]: SearchParseException[[graylog2_1][0]: from[-1],size[0]: Parse Failure [Failed to parse source [{"size":0,"query":{"bool":{"must":[{"range":{"timestamp":{"gte":"1489558035376","lte":"1489579635376","format":"epoch_millis"}}},{"query_string":{"analyze_wildcard":true,"query":""}}]}},"aggs":{"2":{"date_histogram":{"interval":"10s","field":"timestamp","min_doc_count":0,"extended_bounds":{"min":"1489558035376","max":"1489579635376"},"format":"epoch_millis"},"aggs":{}}}}]]]; nested: IllegalArgumentException[Invalid format: [epoch_millis]: Illegal pattern component: p]; nested: IllegalArgumentException[Illegal pattern component: p]; }]”

Can you tell me if it’s possible to change the format of the timestamp in Grafana to match the Elasticsearch’s data?

FYI: here’s an example of timestamp I try to use => 2017-03-15 11:11:13.236

Thanks

torkel · March 15, 2017, 12:59pm

Do you know the Elasticsearch index mapping? What ES type does the date field have in the index mapping definition? What version of Elasticsearch are you using? Have you specified version in the Grafana data source edit page?

pad · March 15, 2017, 2:10pm

The version of ES: 1.7.3
The index mapping for the timestamp value

timestamp: {
type: “date”,
doc_values: true,
format: “yyyy-MM-dd HH:mm:ss.SSS”
}

In the Grafana datasource, I specified 2.x version

So my question was can we use a different date format than epoch_millis?
(The Graylog was installed before we decide to use Grafana so we didn’t configure it for this purpose.)

Thanks

torkel · March 15, 2017, 3:43pm

Grafana 4.x does not support ES 1.x, only ES 2.x and 5.x

If you need to use 1.x you need to use Grafana 3.x

pad · March 15, 2017, 4:00pm

Thanks, I was afraid of that
I’ll try to update our stack to manage this case.

Thanks again.

comradin · March 21, 2017, 6:43pm

Hi,

this is kind of off-topic but the current graylog release (2.2.2) supports ES versions up to 2.4.x.

You should consider an upgrade.

Topic		Replies	Views
No date field named @timestamp or timestamp found using graylog - elasticsearch Elasticsearch	5	10531	June 5, 2023
Problem query Graylog's Elasticsearch with Grafana Elasticsearch	3	2128	July 22, 2017
No date field named @timestamp found - elasticsearch Elasticsearch elasticsearch , timestamp	14	32991	January 19, 2022
Date field missing while adding elastic search source in graphana Configuration	3	439	January 12, 2021
Elasticsearch timestamp in UTC but Grafana is interpreting it as EST Elasticsearch	1	2016	March 5, 2020

Compatibility with Graylog's data

Related topics