I am running graylog 2.3.1 with ES 5.5. In general there doesn’t seem to be any major problems with my graylog server. It usually processes about 500/msgs per sec and 1000-1500 msg/s during peak times.On my graylog node I often see that the earliest message in the journal is 2-4 minutes ago. Does this mean that the message is unprocessed? There is 0 usage on any of the buffers. I thought the messages would go to the process buffer before the disk journal?
I am also a little bit worried about the message remaining in the journal for several minutes.I worry that I will miss some alerts because by the time the message is processed, its timestamp will be too old to be caught by the alert condition.