How to change the "All Messages" Stream to use different Index?

Graylog Central (peer support)
1

1. Describe your incident:

I was trying to change the “All Messages” stream to use different Index, instead of the Default Index set with API, but got error:

http://graylog_host_ip/api/api-browser/global/index.html#!/Streams/update_put_5

{
“title”: “All messages”,
“content_pack”: null,
“remove_matches_from_default_stream”: false,
“index_set_id”: “62a9e73001ff4366937a0855”,
“is_default”: true,
“is_editable”: true
}

Request URL

/api/streams/000000000000000000000001

Response Body

{
“type”: “ApiError”,
“message”: “The stream cannot be edited.”
}

2. Describe your environment:

  • OS Information: Red Hat Enterprise Linux 8

  • Package Version:4.2.20

4. How can the community help?

Is this possible? and if so, how? Thanks.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

I know you can set the default index via the web interface… perhaps if you used the API to change the default index rather than the default stream? I haven’t used the API in that way so I have no quick suggestions…

3

Yes, I changed the Default Index through the web interface, but that did not change the All message stream. It still uses the old Default index. Some users here suggested to use API in the past posts, maybe things have changed? I am trying to figure out.

4

Did some more research - looks like it might be a design issue where it sets on first startup and might be able to be changed in the Mongo DB. Posted to Github here Though it is initially for version 2.3.2, it was still an issue in 2020 with version 4.x

5

Got it, thank you for the quick response.

The original default index got messed up by the SNMP plugin I grabbed from the marketplace, which keeps adding more and more fields (over 3000 now). So I decided to switch to new default Index.

6

I think fields are recreated with each new index as the data comes in … if so, you can rotate your index and only the fixed data will come in the new one. Thats a much easier solution…

7

Yes, trying to do that by defining different streams and indexes.

8

this is what I mean below. If you don’t want the older data, you can delete them from this page as well…

image
image1154×489 43.4 KB

9

Let me try that. thanks.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.