Adding old data from a graylog 3 to a new Graylog 3

So what happened is that we just realized that by the amount of logs we are getting, they are now rotating on a weekly bases, so we lost our logs older than 1 week. But we have filesystems snapshots that allows us to mount another elasticsearch cluster in which I can see graylog indexes starting since 2 weeks ago until last week (1 week window).
Is there any way I can just copy those elasticsearch index to the current Graylog instance I am running and they will automatically start appearing there?

Thanks.

He @titansmc

such is not “easy” possible. I do not know how to solve the problems but you have two items you need to investigate in.

1. if your elasticsearch will work with the suddenly available data
2. if the data is in indices that are known to Graylog that you can ‘rescan’ the indices and all is working.

I never did such an operation, but the two steps above are your hard parts.

Hi Jan,
The first one is doable, since I can take a snapshot from the old data and re import it into the current cluster, but about the second one I am not sure, Graylog is not showing available indexes from before. So I was wondering if there was an option to recreate those “Graylog index” based on the data that is found on Elasticsearch.

Thanks.

he @titansmc

this is only possible if you have the same index sets configured on both graylog servers. With the same prefix most important.

You could after that go to System > indices > INDEX NAME > maintenance > recalculate index range

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.