Hi @danpop
welcome to the community. You have a quite big instance already, congratulations! I have a few thoughts:
- You have three nodes with Elastic with 64GB RAM each, and a Heap size of 32GB. Java has the “feature” to increase the RAM usage a lot if you supply it with 32GB RAM. Better go for double machines and half everything.
- your Elastic is a little older. If you upgrade make sure to find your path to Opensearch, as Graylog will use that in the long run.
- I gave once a very rough intro how to tune Elastic. Did you take care of the sizes of your shards?
-
output_batch_size = 17000is huge. I have I think 500 to 1000 at max. - you have 1 inputbuffer_processor, 17 processbuffer_processors and 13 outputbuffer_processors. That are 31 in total. I understand if you not want to overprovision your CPU, but with 10-15% more I was fine so far.
- are all of your elastic-nodes in your graylog-config? If your graylog “talks” only to one of them it might be the bottleneck.