You can manage size in three ways: Retain a certain number of logs Retain a certain period of logs Retain a certain size of logs
Thus, how you manage it is up to you. In the config file you can choose which of the above method you want to use, and set the thresholds. So I would turn the question around, and if space is your biggest concern, work backwards. Say you have 400Gb and want to use 75% for Elasticsearch (Mongo should remain small). Then, if you keep 20 indexes, each index size should be 15Gb Gb. The great thing is you can adjust this at any time. Also, if you look in system/overview and select indexes, you will get an overview of how much space you are using currently and over what period. This will give you a baseline to work from. The other option is to set up another Graylog instance using a different retention method, say index by week and retaining 2 weeks and see how much space that takes up. Your clients should be able to send to both. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/BF0D34B3-6306-4808-9C1C-A463587D5574%40gmail.com. For more options, visit https://groups.google.com/d/optout.