Hi All,
This is very interesting for me. I am not able to search for anything on graylog. On screen it shows batchjob_logs_195 is not found but the main thing is that I don’t have any index of same name on the elasticsearch. I have taken mongo collection from another graylog server and dump this on present graylog. Also, I deleted everything but still it shows old indices.
All the shards are green.
graylog version: 3.0.2
Please help here. Quick response will be appreciated
Thanks
move over to System > indices select each index (click on the name) and hit maintenancen > recalculate index range
Graylog saves what range (by date) of messages can be found in what index. If you copied over the MongoDB without making the above Graylog still has the information in its mongoDB about the old indices.
@jan I did but its still showing the same
as you have written that everything is setup correct (we trust you in that but you did not share that we can make a check) and you have no error in your server.log (you did not share but you would have mention what you observe in the logs) and your setup over all is correct and has no glitches (you did not share any useful about your setup - what you copied over from what. Means how you build your Frankenstein Graylog … )
So it must be a glitch in the matrix that this happens to you, sorry for that.
No back to business - please remember, this is a community board. All people help here in their spare time. Please invest a meaningful time into your question, including as much details as you could and people will invest time to find the problem in your setup. With the given information - we can only guess.
Hello 
So, first of all, what you did with mongo is quite creative but sadly it won’t work so easily.
Basically you imported Mongo collections which include information about indices YOU DON"T HAVE. Graylog doesn’t know that, Graylog will try to query everything it has information on and it takes information from Mongo collections.
You have to drop some “tables” inside MongoDB, the ones that contain index_ranges for indices. After you do that you have to do what Jan Doberstein told you - recalculate every single index range using Graylog’s “System” => “Indices” => “Recalculate index ranges”.
The hard part is dropping stuff from Mongo, the trival part is recalculating index ranges.
So, dropping stuff in Mongo.
Go into machine you have MongoDB installed on and use those commands, connect using your auth db, example if you were following instructions in docs:
mongo --port 27017 -u “admin” -p --authenticationDatabase “graylog”
Use your password for “admin” user
After connecting to your mongo use those:
use graylog; ← use the graylog’s database, maybe you used a different name?
show collections ← show all collections, you should see a index_ranges collection
db.index_ranges.drop() ← drop all info regarding index_ranges
exit
Okay, you just cleared info regarding those nasty indices you don’t really have in your Elasticsearch cluster but Graylog desperately wanted to query.
Reindexing:
Do what jan wrote, “System” > “Indices” > click on index set > Maintenance > Recalculate index ranges.
Do that on every single index set you have in your Graylog.
That’s it, it should help
Some further info regarding your problem and how to dodge it in the future:
Graylog has to manage your Elasticsearch cluster - every single index creation / deletion has to be made using Graylog. If you delete something from Elasticsearch by some query or Curator or in any other way which is not including clicking “Delete” in Graylog - you will see the error you see right now.
This is why: You delete something manually but information about it is still stored in Mongo so from Graylog’s POV it is NOT DELETED. Same thing for index creation, if you create some indices not using Graylog’s “Create index set” - it won’t work because there will be no info about it in MongoDB/Graylog.
There are multiple operations you can do on indices manually / with Curator / Query, for example you could relocate shard, create custom mappings and so on but deleting / creating indices manually is BIG NO NO 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
