I have graylog (2.2.3) and i want query its elasticsearch (2.4.4).
I add datasource elasticsearch 2x, i can query but when i query i dont have the same amount of data :
With same query on 5 minutes
From Graylog : 8796 data returned
From Grafana : 57 data returned
Grafana datasource configuration :
Index name : graylog*
Timestamp field name : timestamp
Pattern : no pattern
Version : 2.x
Why do not I get the same results?
Compare query sent to ES by Grafana with the one sent g Graylog
Graylog :
{
"from": 0,
"size": 150,
"query": {
"bool": {
"must": {
"query_string": {
"query": "\"myrouter\" AND (\"990-D\" OR \"991-D\" OR \"default-D\")",
"allow_leading_wildcard": true
}
},
"filter": {
"bool": {
"must": {
"range": {
"timestamp": {
"from": "2017-07-20 13:37:51.507",
"to": "2017-07-20 13:42:51.507",
"include_lower": true,
"include_upper": true
}
}
}
}
}
}
},
"sort": [
{
"timestamp": {
"order": "desc"
}
}
],
"highlight": {
"require_field_match": false,
"fields": {
"*": {
"fragment_size": 0,
"number_of_fragments": 0
}
}
}
}
Grafana :
{“search_type”:“count”,“ignore_unavailable”:true,“index”:“graylog*”}
{“size”:0,“query”:{“bool”:{“filter”:[{“range”:{“timestamp”:{“gte”:“1500557461375”,“lte”:“1500557761375”,“format”:“epoch_millis”}}},{“query_string”:{“analyze_wildcard”:true,“query”:"“myrouter” AND (“990-D” OR “991-D” OR “default-D”)"}}]}},“aggs”:{“2”:{“date_histogram”:{“interval”:“2s”,“field”:“timestamp”,“min_doc_count”:0,“extended_bounds”:{“min”:“1500557461375”,“max”:“1500557761375”},“format”:“epoch_millis”},“aggs”:{}}}}
Looks like the Graylog query returns unaggregated data. The Grafana query has a date histogram aggregation and groups in 2s intervals. Have you tried setting the Group by time interval field to be >5m (either in the data source settings or on the metrics tab of your panel)?
Also, the from and to timestamps are different so you are not comparing the same five minutes.