Hello Edmundo, thanks for the prompt reply. Opening the closed indices in question in the web interface is not possible either, so I will open an issue with the information you requested, albeit that'll take some time. Here's the general outline:
If elasticsearch_max_number_of_indices in graylog2.conf is set to N, the Indices page in the web interface will show N indices altogether, that includes the write-active index. For all indices except the write-active one, the only actions available are 'close' and 'delete'. In elasticsearch, all indices listed by Graylog are marked open. None of the indices marked close is being available for action via the web interface. I think you're correct with the assessment that Graylog doesn't know how to properly un-manage its indices. Again, I'll follow up with a detailed issue soon and link it here. Thanks & best regards, J. On Thursday, July 31, 2014 1:28:13 AM UTC+9, Edmundo Alvarez wrote: > > Hello, > > I think the problem is that Graylog2 can’t tell if you opened that old > index manually or if it was already open. Could you please try to open the > index by using the Graylog2 web interface? To do that, click on “System" -> > "Indices" and open the closed index you want to use for searching. > > Please feel free to open an issue including logs from Graylog2 web > interface, server, and Elasticsearch if that doesn’t work either, so we can > investigate the issue further. > > Regards, > > Edmundo Alvarez > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH > Steckelhörn 11 > 20457 Hamburg > Germany > https://www.torch.sh/ > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > > On 30 Jul 2014, at 09:28, J John <jens....@gmail.com <javascript:>> > wrote: > > > Good day; > > > > the comments in the example graylog2 server configuration file currently > read as follows: > > > > # Decide what happens with the oldest indices when the maximum number of > indices is reached. > > # The following strategies are availble: > > # - delete # Deletes the index completely (Default) > > # - close # Closes the index and hides it from the system. Can be > re-opened later. > > retention_strategy = close > > > > I am using the setting for retention_strategy as shown above. > > > > My question is about the comment 'can be re-opened later': after closing > an old index, I now want to search through the messages in it with Graylog. > When I tell elasticsearch to re-open the index I want to search, the index > for a short interval becomes live in Graylog (the message count on the > Streams page includes the message of the re-opened index) but gets closed > by Graylog automatically a moment later, making it again unavailable for > search. > > > > Is this intended behaviour, meaning that I am supposed to increase the > maximum number of allowed indices to accommodate the re-opened indices, > then reload the server config/restart the server and THEN be able to search > through the old indices (meaning that I have to perform the steps in > reverse to get them offline again)? Or is this unintended and should I open > an issue about it, because this is obviously a rather tedious/inconvenient > process that can be improved? I haven't seen any issues that address this > problem in this form. > > > > Best regards, > > J > > > > -- > > You received this message because you are subscribed to the Google > Groups "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
