Valid Query Returns No Results about enterprise-log-search-and-archive HOT 8 CLOSED

Unfortunately, host is special because it is actually stored as an integer, not 
a string, and doesn't show up in the message.  When you search for the IP 
listed without the "host:" prefix, ELSA has to interpret it as a literal 
string, which won't match the integer representation in the host field.  I 
attempted a possible fix which would be to always search for both the IP and 
its integer representation, but that introduced other inconsistencies and 
unexpected search results.  I may look at this again, but right now I don't see 
a good way of fixing this.

Sorry, that was actually a copy and paste error. Host *is* in the second query, 
just like the first. The only difference is that I add a zero to the limit 
argument and then I get zero results.

Ah, that's a very different problem!  So you see now debug messages or 
otherwise in the log to indicate that it tried to batch?

Here are the last few lines from the query that failed:

* TRACE [2012/07/25 15:06:15] /usr/local/elsa/web/lib/API.pm (2121) 
API::_unlimited_sphinx_query 1338 [undef]
total: 9967, overall_limit: 10000
* TRACE [2012/07/25 15:06:18] /usr/local/elsa/web/lib/API.pm (2143) 
API::_unlimited_sphinx_query 1338 [undef]
query got 1000 of 51822 results
* DEBUG [2012/07/25 15:06:18] /usr/local/elsa/web/lib/API.pm (2171) 
API::_unlimited_sphinx_query 1338 [undef]
found latest time: 1343155405 Tue Jul 24 13:43:25 2012
* DEBUG [2012/07/25 15:06:18] /usr/local/elsa/web/lib/API.pm (2186) 
API::_unlimited_sphinx_query 1338 [undef]
received: 10000 of 757126 with overall limit 10000
* DEBUG [2012/07/25 15:06:18] /usr/local/elsa/web/lib/API.pm (2193) 
API::_unlimited_sphinx_query 1338 [undef]
completed unlimited query in 39.5081880092621 with 10000 rows
* INFO [2012/07/25 15:06:19] /usr/local/elsa/web/lib/API.pm (1606) API::query 
1338 [undef]
Query 173 returned 0 rows

Here are the last few from the query that succeeds:

* TRACE [2012/07/25 15:08:17] /usr/local/elsa/web/lib/API.pm (1921) 
API::__ANON__ 1341 [undef]
node 127.0.0.1 got db rows: 1000
* DEBUG [2012/07/25 15:08:17] /usr/local/elsa/web/lib/API.pm (2097) 
API::_sphinx_query 1341 [undef]
completed query in 4.19301795959473 with 1000 rows
* INFO [2012/07/25 15:08:17] /usr/local/elsa/web/lib/API.pm (1606) API::query 
1341 [undef]
Query 174 returned 1000 rows

Prior to these entries there is a really big line with a bunch of question 
marks and integers, separated by commas.

Ok, that's good, it did finish:
completed unlimited query in 39.5081880092621 with 10000 rows
So, there should be a CSV file somewhere (it's supposed to email you with those 
results) created in the bulk_dir (/tmp by default).

I don't see any *.csv files in /tmp, but there are a lot of files with names 
that look like MD5 checksums. Are those what I am looking for?

The MD5 files are session stores and are unrelated.  And I was mistaken, the 
files are .json, not .csv.  Are there any .json files?

Closing due to inactivity.