How to delete graylog_deflector?


(Justin) #1

I get the Error Message
"Deflector exists as an index and is not an alias. "
which results in an empty search.

I have seen Threads about this and the way to go is to stop GRAYLOG and delete the index “graylog_deflector”.
I am not sure on how to delete the index graylog_deflector once the GRAYLOG Services are stopped.


(Jochen) #2

You can delete an index named “graylog_deflector” with the following command (replace 127.0.0.1 with the actual IP address or hostname of the Elasticsearch node):

curl -X DELETE 'http://127.0.0.1:9200/graylog_deflector'

See https://www.elastic.co/guide/en/elasticsearch/reference/5.6/indices-delete-index.html for details.


(Justin) #3

I am confused, entering this command gives me the following Error:

"Failed to connect to IP-ADDRESS port 9200: Connection refused"
I put in the IP of the GRAYLOG Server (on which I access the web-interface).

On elastic.co I see a download option for Elasticsearch. I think I never downloaded / installed Elasticsearch regarding GRAYLOG.
If I don’t have to install Elasticsearch seperately how do I find out the IP-ADRESS?


(Jan Doberstein) #4

How did you installed Graylog Justin?

If you use the OVA/Virtual Appliance that includes all needed software. You would need to push that command on the command line of that server as Elasticsearch is not listening on the public interface.


(Justin) #5

Hey Jan,
Yes I used the OVA/Virtuel Appliance.
I am on the COmmand Line Interface of the Machine trying to enter the line mentioned above. No luck so far.
Also tried curl -X DELETE 127.0.0.1:9200/graylog_deflector


(Jochen) #6

The cURL command has to be run against the Elasticsearch HTTP API, not against the Graylog REST API.

You can get a list of processes listening to some (TCP) port with one of the following commands:

# lsof -i
# netstat -tplen

Elasticsearch is usually listening on port 9200/tcp.

And what was the result?


(Justin) #7

I got it working now and want to sum up the way to success for ppl like me who are new to GRAYLOG and usually don’t work with LINUX Systems:

  1. Stop all services but Elasticsearch (http://docs.graylog.org/en/2.3/pages/configuration/graylog_ctl.html#migrate-manually-from-1-x-to-2-x)

$ sudo -s

$ graylog-ctl stop graylog-web

$ graylog-ctl stop graylog-server

$ graylog-ctl stop mongodb

$ graylog-ctl stop nginx

$ graylog-ctl stop etcd

  1. If used OVA Image Eleasticsearchs default Port is 9200 to receive tasks. (Also see: http://docs.graylog.org/en/2.3/pages/configuration/graylog_ctl.html#migrate-manually-from-1-x-to-2-x)

Syntax: $ curl -X DELETE <appliance_IP>:9200/_template/graylog-internal

Example: $ curl -X DELETE ‘127.0.0.1:9200/graylog_deflector’

  1. Start all Services again (http://docs.graylog.org/en/2.3/pages/configuration/graylog_ctl.html?highlight=delete%20index#configuration-commands)

sudo graylog-ctl start

Thank you for all your help!


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.