Centos 7/Deflector exists as an index and is not an alias

I’m running Graylog 2.4.4+4659dbe and have done the recommended steps:

1. Stop Graylog
2. Delete the graylog_delector using: curl -X DELETE ‘127.0.0.1:9200/graylog_deflector’

The index is removed but as soon as I start Graylog, the graylog_deflector is recreated:

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open graylog_deflector 5wrUelgMRXWB0N2dBEoaNA 5 1 1274 0 1.7mb 1.7mb

I have the elasticsearch_discovery_enabled set to false in the server.conf

As soon as I start Graylog, the “Deflector exists as an index and is not an alias” error is shown immediately.

I am receiving messages but obviously can’t see them in the stream and can’t search on them.

Any help would be appreciated.

Thanks.

http://docs.graylog.org/en/2.4/pages/faq.html#how-do-i-fix-the-deflector-exists-as-an-index-and-is-not-an-alias-error-message

I added per the instructions outlined but now I can’t find any indexes. Added action.auto_create_index: false
to the server.conf

Now the index is gone but I can’t see any via:

curl ‘localhost:9200/_cat/indices?v’

When I go to maintenance an manual rotate the default index, it just keeps saying “Loading” on the screen.

Now the system is reporting the following errors:

Try rotating the write-active index in the Graylog web interface at System/Indices/Index Set/Maintenance.

That doesn’t work since the index that I created just gives a “Loading” message"

Try restarting the Graylog master node. If there’s no index alias, Graylog will try to create it.

sudo systemctl restart graylog-server didn’t resolve the issue. Any other suggestions?

You can try rotating the write-active index via the Graylog REST API by sending an HTTP POST request to /system/deflector/cycle (for the default index set) or /system/deflector/{indexSetId}/cycle (for any other index set).

Example:

# curl -u admin:password -X POST 'http://graylog.example.com:9000/api/system/deflector/cycle'

I did the rotate but when I click on the default index, it just hangs still with “Loading”

When I do a curl ‘localhost:9200/_cat/indices?v’ I don’t see any indexes created even after a Graylog restart.

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size

Do you know why the indexes wouldn’t be created? Is there a configuration flag that needs to be set?

Hi all.

I had the same issue and I fixed the deflector problem with

• graylog-server stop

• mongodb stop

• remove the deflactor index

• mongodb start

• graylog-server start

I’ve done the same, the problem is the index doesn’t get created. When I restart graylog.

When I start sending messages in, the graylog_deflector is recreated. Is this a bug? No matter what steps I try, I can’t seem to get rid of it:

health status index             uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   graylog_deflector ztBlW3AfRbiPTPN6COtPBQ   5   1         42            0     15.3kb         15.3kb

Which version of Elasticsearch are you using?

(prod) server] $ curl -XGET ‘localhost:9200’
{
“name” : “03_wUzI”,
“cluster_name” : “graylog”,
“cluster_uuid” : “VsIC8wo3TR-0fpn-PVPXWA”,
“version” : {
“number” : “6.2.4”,
“build_hash” : “ccec39f”,
“build_date” : “2018-04-12T20:37:28.497551Z”,
“build_snapshot” : false,
“lucene_version” : “7.2.1”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

Graylog 2.x doesn’t support Elasticsearch 6.x.

http://docs.graylog.org/en/2.4/pages/installation.html#system-requirements

What version of Elasticsearch do you recommend?

Elasticsearch 5.6.9 works fine.

In general, please refer to the system requirements and the Elasticsearch chapters in the documentation.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.