I am sorting out some disk space issues in my current Graylog settings. Can someone please tell me if I redirect messages from a input to a stream would it duplicate the data on disk?
For example -
I have a index called Juniper flow data and I have created a stream with rules 1. Input - GL Input Type: Juniper Security logs input(that coded name which shows up in input)
2. Index - Juniper Security Logs Index
3. Remove data from default index
All flow data is redirected to this stream now. Would it be doubling up disk space with data in elastic search plus data in this stream?
If the Remove Data from default index is configured the right way, you should not have your messages twice in elasticsearch. If so, you would see all messages twice in search.
It can be configured in the route, bus if you are using a pipeline rule to route the messages
it should be configured over there. (remove_from_default: true)
Thank you Arie. You are right. I tried to pause the stream to see if messages still come,but they started going to default stream. Therefore I concluded if you create index you need to route that to a stream and it is not duplicating data.
