I have an input that previously had an extractor that has since been deleted. However when a new log matches the old extractor criteria, it still runs. It’s like it’s hidden and I can no longer edit or completely remove it. The old extractor would create a new field if data matched a regular expression.
Does anyone have any ideas what could cause behavior like this?
My Environment details:
GrayLog - 15 Nodes running: 2.4.6
Elasticserach - 8 Data Nodes running: 5.6.9
MongoDB - 3 Nodes in a replica set running: 3.6.8
After a few hours the extractor has stopped running on a handful of graylog nodes, but not all the nodes. It’s like there is a massive delay between the time I removed the extractor and when the node quits processing it. Any ideas?
that is not a know issues - what you described is only seen when the messages and Graylog does not have the same time. It will look like a delay but in reality the messages are just displayed later than the time they arrive. because the timestamp is in the future (for example)
