Deflector exists as an alias... but it doesn´t!

I run Graylog 3.0.1 with elasticsearch 6.7.1 on a CentOS 7 VM

Recently I upgraded elasticsearch from 5.6 to 6.7 as per instructions on the elasticsearch site. However during the process there was a small problem.
Apparently the newer version of elasticsearch keeps its indices on different folders.
This led to a problem when restarting graylog: the older index was not detected.
I solved this by changing the path.data to the older folder andI restarting elasticsearch.
This caused the index to be successfully detected.

So I was a bit surprised when I got the following problem:

The famous " Deflector exists as an index and is not an alias." message.

I have found the procedure for resolving this issue however, the problem is that deflector does not exist as an index:

$ curl -X GET "localhost:9200/_cat/indices?v"
health status index     uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   graylog_0 O4YEZUCiQzuGkx6MH9sGPA   4   0    3336411            0    967.6mb        967.6mb

Naturally trying to delete graylog_deflector fails since it does not exist:

$ curl -X DELETE "localhost:9200/graylog_deflector"
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"The provided expression [graylog_deflector] matches an alias, specify the corresponding concrete indices instead."}],"type":"illegal_argument_exception","reason":"The provided expression [graylog_deflector] matches an alias, specify the corresponding concrete indices instead."},"status":400}

However it does exist as an alias:

$ curl -X GET "localhost:9200/_cat/aliases?v"
alias             index     filter routing.index routing.search
graylog_deflector graylog_0 -      -             -

Which leads me to believe that this is a different problem than the one already solved in the documentation.

Right now graylog is functional, it processes messages and allows for new inputs and extractors to be created.

However I cannot create new indices via the Web interface, and I get errors when trying to do certain things like clicking on the “Alerts” tab or the “Dashboards” tab:

Loading component failed: Loading chunk 27059c95-72 failed. (missing: http://graylogs.secret.domain.name:9000/assets/27059c95-72.567b98aaba093175141f.js)

I appreciate any help anyone can provide on this subject, and I am willing to test and provide further information.

Thank you,

João

Update:

Managed to “solve” the errors that prevented me from creating a new index and view the Dashboard and Alerts tab:

$ curl -X PUT "localhost:9200/graylog_test"
$ curl -X POST "localhost:9200/graylog_test/_open"

From this point on, I could circumvent the erros above. Then I closed it and deleted it:

$ curl -X POST "localhost:9200/graylog_test/_close"
$ curl -X DELETE "localhost:9200/graylog_test/"

However the Deflector message still remains. Help is still necessary.

Thanks

I would stop Graylog, delete the alias and start Graylog again.

That should create the alias new on the latest index. you might need to rotate the index once if that does not work.

the manual rotation got rid of the error, thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.