Cant see restored indices in graylog (v2.4.6)

furk4n · April 8, 2021, 3:19pm

Hi,

I’m running graylog(v2.4.6). I’m restoring an indice in elasticsearch but i cant see it on index set area. When i check is indice open, i see it is open in elasticsearch. But still can’t see in graylog ui.

Here is my restore request:

curl -s -X POST "localhost:9200/_snapshot/"$indexname"/"$indexname"_"$number"/_restore" -H 'Content-Type: application/json' -d' {"indices": "'$indexname'_'$number'","rename_pattern": "'$indexname'_(.+)","rename_replacement": "restored_$1"}'

Elasticsearch and graylog working properly and communicating each other correctly.

Could you help me with this?

mntbighker · April 8, 2021, 4:56pm

You might want to watch my thread… " Elastic Restore Help Please". As far as I know, prior to Graylog 4.x there was no way to see any index that didn’t match the prefix specified in the config file. And so far I have seen no evidence you can see them in 4.x either. I really want to be proven wrong, because I have a restored index I can’t use.

furk4n · April 8, 2021, 6:28pm

You are right but im using 2.4 and also i have done this before and there was nothing like this. happening for the first time.

I have updated my request like this

`curl -s -X POST “localhost:9200/snapshot/"$indexname"/"$indexname"”$number"/restore" -H ‘Content-Type: application/json’ -d’ {“indices”: "’$indexname’’$number’",“rename_pattern”: “’$indexname’(.+)",“rename_replacement”: "’$indexname’$1”}’

So now, i can see restored indices in index_set but when i go to stream, i cant found any data

furk4n · April 8, 2021, 6:44pm

and also when i run a query for an exact date in elasticsearch it turns properly:

   {
  "took" : 410,
  "timed_out" : false,
  "_shards" : {
    "total" : 10522,
    "successful" : 10522,
    "skipped" : 10382,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

mntbighker · April 8, 2021, 10:11pm

My theory on this is the gl_ prefix Elastic indices contain companion metadata. And without that Graylog has no idea what to do with the index. What indices did you restore/rename? Just the primary data (like Graylog_01), or also the ones with a gl_ prefix? Get the naming wrong and you bork the existing Graylog instance.

The documentation on this seems to be all but non-existent.

furk4n · April 9, 2021, 5:15am

I can see the list restored indices in right-top open indices link, i just cant see the logs in stream it is nothing wrong with indice name