I had a host begin sending large amounts of syslog data, that managed to fill up the partition where the Graylog journal resides. After restarting Graylog it would not ingest any of the logs so I deleted the contents of the journal folder.
Now I am seeing messages inbound, but none are being written to the Elasticsearch indexes. Messages in older indexes from a few days ago appear but no matter what data I sent Graylog it does not send the data to the Elasticsearch index. Looking in the Graylog or Elasticsearch log files both reveal this message after trying any query in the Graylog web interface:
“could not find the appropriate value context to perform aggregation [gl2_terms] (ElasticsearchException)”
Any ideas what could be going on?