Graylog rotation indices based on time, it creates and deletes 2 to 3 times. So that we are missing 4 hours back data

Please help on this.

Hi vankireddy2015

Could you explain in more details please? What kind of issue you have? You are losing data after Index rotation?

Hi Facyber,
Once rotation time reaches indices Should delete and rotate once. But in my case it rotates 2 to 3 times.

so Graylog does not rotate only one time for the index but multiples times? Always the same number of times or always different?

That is no normal behaviour and you should provide as much information as possible. What Graylog Version do you use, what Elasticsearch Version did you use? Is that all on one server? Such information are important to guess what the reason could be.

Yes, always 3 time.

Graylog v3.0.2
ElasticSearch Version: 6.8.0.

We deployed in containers so both are in different servers.

he @vankireddy2015

how many Graylog server do you have in your Cluster? How many of them have the configuration flag as is_master=true ?

3 graylog server nodes running in a cluster. all 3 having this “is_master=true” flag enabled.


you should really re-read the documentation on this setting.

The setting is_master=true is only valid on one host. If all of your hosts have this setting - all host will perform an index rotation. That is the reason you have always rotated the 3 times.

But if we do Index rotation strategy based on Index Size it rotates only one time only.


yes - because one Graylog Master recognize the size of the index. Rotate the index and other server do not see the size as point to rotate.

Have only a single server with is_master=true solves your problems …

