Adding _size field

Graylog Central (peer support)
1

Hello Everyone,

Has anyone got any experience getting _size field to get indexed?
We’re using Graylog 2.1.1 and we’d have to estimate the size from different sources.

I got the idea from https://github.com/Graylog2/graylog2-server/issues/2324
And I believe had successfully applied the mapping.

Like so:

{
      "mappings": {
         "message": {
            "_size": {
               "enabled": true
            },
            "dynamic_templates": [
               {
                  "internal_fields": {
                     "mapping": {
                        "index": "not_analyzed",
                        "type": "string"
                     },
                     "match": "gl2_*"
                  }
               },
               {
                  "store_generic": {
                     "mapping": {
                        "index": "not_analyzed"
                     },
                     "match": "*"
                  }
               }
            ],
            "properties": {...}
}

But I still wasn’t able to show _size field from searches.
I have cycled the indexes and restarted elasticsearch data nodes several times.

Thanks,
Jan

2

Hej Jan,

did you check the documentation on this?

regards
Jan

3

Hello Jan,

I have followed the document.
I also ensured the mapper-size-plugin installed on all elasticsearch data/master nodes.
I’m not sure if I have to install it in graylog though (or if there are any means to), since they work as elasticsearch clients.

Anyway, I’ll be upgrading to graylog 2.2 today, we plan to utilize the new index sets feature to identify index sizes instead.
Although, I think _size field would still be very useful.

I’ll update this whether I got _size field working after upgrade.

Thanks,
Jan

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.