search across multiple streams

[tehpanta]

This is more of an opinion than an issue per say. I have found that the implementation of index sets, as it is in current version (2.2 RC1) is limiting the usability of the feature and in some cases (not many I suppose) making it completely unusable altogether.

Expected Behavior and Context

Handling of the data should from my point of perspective be done right after receiving and parsing the message. Not after routing it to streams. Handling the data and organizing it to streams by datasets (and not allowing one stream to look into more data sets at the same time) is creating conflicting problems with different types of logs stored in different index sets.

Scenario to demonstrate:
I have 2 applications. APP1 and APP2. Both have different people in S2/S3 support and hence I need to differentiate user access. At the same time, both applications have two types of logfiles. Application logs and HTTP logs. HTTP logs are only important for the first 3 days. Application logs have to be kept for 3 months. I would expect that I can create a stream that will include all messages from index sets for application AND HTTP logs (and set permissions accordingly for appropriate teams only) to allow them to corelate HTTP logs with Application logs at the same time.

Current Behavior

I can only allow them to search one type of logs at any one time.
Or I can disable user restrictions and let everyone search in "All" stream (that contains trillions of data that is of no use to them and strains both elasticsearch nodes and graylog server nodes performance-wise).

Possible Solution

From my perspective there are 3 solutions:

Adopt ES 5.X to allow manual clean up (delete by query).
Move data handling process further back, closer to inputs and further from streams.
Allow one stream to use more index sets at the same time (this is probably the fastest solution).

Your Environment

• Graylog Version: 2.2 RC1
• Elasticsearch Version: 2.2
• Operating System: RedHat Linux 6/7
• Browser version: Any

[gruselglatz]

We are facing the same Problems right now. We have decided to not use the long awaited feature right now, because of the above mentioned Problem.

One solution would be, if we can create Some sort of "Context" in which Users can interact. So we could say "Context Support Mail" is able to search in all streams i declare to that context simultaneously. Also it should be possible to create Alerts based on that Context, over all Streams.

[tehpanta]

That certainly helps, but does not solve the whole issue. We need to corelate several types of logfiles in one stream (they share common identifiers of particular operations/functions/backend calls through which we can identify a problem in the whole chain of events. All these have different retention policies.

We are working on a framework completely outside graylog to manually clean up the elasticsearch datastore according to those retention policies, while maintaining the ability to search through all types of logs available. Its not an ideal solution, but untill this GrayLog functionality reflects our needs, we simply cannot take advantage of it (just like you).

Thanks for commenting though, I was beginning to think we are the only ones :)

[gruselglatz]

EDIT2: the text beneath is not correct, the messages got replicated to all Index_sets and indices... :( so no solution here. So we definitely need something like multiple index_sets on one stream, or something like writing streams which are writing to the index_set and reading streams, which are able to read from different sets.

@tehpanta we've found some "soultion" to this problem.

We found out, that the index_set with the longest retention time is used to store the messages when you have multiple streams with different index_sets from the same source.

So we decided that we add another 1day index_set, so we have index sets for: 1day, 15days, 20days, 30days and the default with 45days. We than have streams for 15days, 20days, 30days where we match with the gl2_remote_ip to the machines. then we have the default stream which maches nothing= the rest. And all other streams now get the 1day index_set. So we can achieve that all messages get stored in the corrrect index on ES and the rest is cosmetic and we have multiple retentions in one stream. YAY

i hope you got me :D

EDIT: Ok but we figured out that this is not constant... so this might or might not work as intended :(

So this can be used if we get some sort of priorizing index_set setting.

[tehpanta]

:( I was so pumped when I read the original reply in mail, rushed here to check it out more thoroughly and try to understand the process and then...one famous person would say...sad! :)

In any case...data handling features should never be on the most front-end part of the system...its just weird to handle it like this. Should it be on the backend-side of graylog (say inputs, pipeline could manage that...or something on this sort), it would be way, way more flexible for everyone (and easier to set-up and manage in the long-run).

Thanks for colaboration tough! Nice to see someone else try to make it work :)

[bernd]

@tehpanta I think the real feature you are asking for is "multiple stream search". That is, a user that has access to stream1, stream2 and stream3 should be able to search in all of those streams at the same time instead of having to search in each stream separately.

Would this solve the problem you currently have?

@gruselglatz Without more details about your stream routing setup, it's hard to tell if you are running into a bug or a misconfiguration. Please make sure to read the updated documentation for streams and the index model:

• http://docs.graylog.org/en/2.2/pages/streams.html#index-sets
• http://docs.graylog.org/en/2.2/pages/configuration/index_model.html

The docs explain how messages will be routed into index sets. Make sure to read the section about the "Remove matches from ‘All messages’ stream" flag for a stream and the role of the default "All messages" stream.

[tehpanta]

Yes, having the ability to search across several streams in one time would solve the issue.

But it has to be something different from "All messages", because we have dozens of scenarios and not just one.

Its definitely not a bug per say, to be honest. It is just that current design of the feature doesn't meet our needs, thats all :)

[bernd]

@tehpanta Right. We track this feature over at https://graylog.ideas.aha.io/ideas/GL2E-I-242, please make sure to vote for it. 😃

[tehpanta]

Well that is not exactly, what I would need honestly :) Many users in our environment have access to more than one application and they need to search in those applications (across different logfiles of that application). It can possibly be overcome by giving one user more accounts, where each account would be tied to certain application. But that would defeat LDAP/AD integration :(

What would solve my problem, and should be too difficult/time consuming to fix, is to allow one stream to display data from more than one index set. That would be ideal (apart from moving the whole data handling).

[kroepke]

I don't understand what you mean by "the whole data handling". I'm not sure it has anything to do with what you describe.

This feature is, from what I understand of the problem you are looking to solve, completely orthogonal to what you describe. In fact, nothing about Graylog has changed, other than that you can store separate streams in separate indices and apply separate rotation and retention policies to them (and of course elasticsearch index settings/mappings).
The intention is to support solving multiple operational issues:

• moving high volume sources into their own index, with high shard count and/or dedicated nodes via index allocation settings
• support different retention times for different types of data, while retaining efficient deletion of data (in a non-trivial environment delete by query will completely destroy your performance, not to mention that we intentionally set indices read only etc)
• physically separate data that needs to be thus separated by policy or law

We made the decision to base it around streams, because they were an already existing concept that settings, UI and security already revolved around. The global search was always a kind of a kludge to be honest.

That being said, we are aware that searching across multiple streams (or even logically grouping then into a "meta stream" that has similar representation in the system, i.e. can be chosen, searched in, have settings etc, but cannot be written to) is something that is required for certain workflows.
That being said, the feature never existed and if you could make your use case work with Graylog before, you should be able to make it work now.

What confuses me greatly is the notion that index sets somehow make this more difficult. Maybe I just misunderstand, but as I said they were designed to be orthogonal to what is being described in this issue.

Let me reiterate what I understand the situation is:
You have different sets of applications that produce different logs to be retained for a separate amounts of time.
In addition the visibility of those logs need to be controlled depending on a role (or multiple roles) of users.
E.g. "support" role only sees streams "logins", "registrations", "unsubscribe". "ops" sees those and in addition "network", "email" and "billing".
Each of these streams has different retention requirements (because of law, storage space and ingress volumes).
E.g. "network" is actually made up of several other streams, say your network devices across different datacenters, which are stored separately (and thus in different index sets).

Does that, at a high level, describe your situation?

We greatly appreciate the feedback!

[tehpanta]

Hello,

First of all, thank you all for reacting :)

As for the situation, yes, you described it pretty much exactly. Me saying "whole data-handling" is probably just my mental problem of having data handling configurations on the most front-end part of the system (ie. streams), sorry for repeating this rhethoric so many times :) Having data-handling configuration in the same UI as Streams is a bit clunky for me (having 100+ streams already). Having this feature separately in server configuration section would be much easier to maintain.

The ability to create meta streams, that will be able to display data from multiple index-sets would solve the issue completely. It would be a bit of a hassle, because we would have to create many additional streams, but that is something we can certainly live with :)

As for the notion, that "if you could make your use case work with Graylog before, you should be able to make it work now". That is of course true. We just can not use the new feature in its current state. Different retention is something we would really like (from a first hand analysis I have made some time ago, up to 50% of our data stored in ES is not necessary) and thus this issue was created.

Don't get me wrong guys, I love graylog with my whole heart and am a big fan of yours.

[kroepke]

Ok, then it makes sense to me.

I completely agree, the current UI was not designed to scale to hundreds of streams in terms of UX.
My primary intention was to figure out if there was something fundamentally wrong with the feature or if it simply not addressed your particular use case.
It seems the latter but luckily we figured out what's missing.

Thanks for clarifying and great to hear that we can help making your life a bit better!

[tehpanta]

A bit better is quite an understatement :)

We have two instances of GrayLog (one for TDA environments and one for PRO) and combined number of stored messages is in tens of trillions. We have also (as a part of budget saving project) made a preliminary savings analysis and GrayLog saves our company about 20 full time employees currently (big plans for this year and the next).

So thank you for that and for being so active (here and on IRC as well /big hello to joshi/) :)