Add Indices to Graylog from Prior OpenSearch Path

1. Describe your incident:
After upgrading to MongoDB 5.0, OpenSearch 2.5, and Graylog 5.0 our previous indices are no longer appearing within Graylog.

2. Describe your environment:

  • OS Information:
    Ubuntu 20.04

  • Package Version:
    Graylog 5.0.3-1
    MongoDB 5.0.15
    OpenSearch 2.5.0

3. What steps have you already taken to try and solve the problem?
Our Graylog server build originally followed the documentation to use the tar ball install and place OpenSearch in the path of /graylog/opensearch/. The Graylog 5.0 upgrade suggested to use the Debian package which installs in /usr/share/opensearch/. I moved the indices located in /graylog/opensearch/data/nodes/0/indices to /usr/share/opensearch/data/nodes/0/indices since this is where the new indices are being created.

4. How can the community help?
Is there a method of importing these into Graylog to view our historical data? If so, please provide detailed step by step instructions on how to do so rather than simply linking to a document or KB.

First, you need to see what Opensearch thinks is going on. Start with the cluster health.

GET _cluster/health?wait_for_status=yellow&timeout=50s

source: Cluster health - OpenSearch documentation

Then get the cluster stats.

GET _cluster/stats/nodes/_master

source: Cluster stats - OpenSearch documentation

Post the output of those commands and we’ll see what’s next.

Alright. We decided it’d be simpler to recover the VM from backup in an isolated location if we need to view the historical data and let new data populate in the new path.

Hopefully in the future it’ll be simpler to migrate rather than having to manually move data (or in our case delete it since GrayLog retention will no longer apply) and work with OpenSearch CLI to determine what it is seeing.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.