Aggregation Value Context Error After Full Disk

(Adam) #1

I had a host begin sending large amounts of syslog data, that managed to fill up the partition where the Graylog journal resides. After restarting Graylog it would not ingest any of the logs so I deleted the contents of the journal folder.

Now I am seeing messages inbound, but none are being written to the Elasticsearch indexes. Messages in older indexes from a few days ago appear but no matter what data I sent Graylog it does not send the data to the Elasticsearch index. Looking in the Graylog or Elasticsearch log files both reveal this message after trying any query in the Graylog web interface:

“could not find the appropriate value context to perform aggregation [gl2_terms] (ElasticsearchException)”

Any ideas what could be going on?

(Adam) #2

Ugh. I feel dumb. I failed to delete the committed read offset and recovery point offset files from the journal folder. It’s working just fine now.

More details here:

(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.