for each input, how can I find the most recent message using the API? I’m trying to do a migration and want to avoid recreating inputs in the new system if I can validate they aren’t really in use. I figure if an input hasn’t been written to in X months, I’m probably safe to assume it isn’t in use.
I’m sure there’s an API way to do this, but the explorer is hard to grok
MongoDb holds all the metadata, ( i.e. Inputs, streams, alerts, notification, etc…). So long as the old MongoDb is the same as the new MongoDb version you could do a Dump and SCP.
Example:
Execute Mongo Dump
mongodump --db graylog -u mongo_admin
Copy Database to new system.
scp -r dump user@8.8.8.8:/tmp
Once completed execute mongorestore on new server
mongorestore dump/
Restart Graylog service
sudo systemctl start graylog-server
Note make sure you old Graylog configuration is the same as the new one.
Just an Idea
EDIT: as for the status of inputs If you navigate to so system/nodes and click the API browser button, upper right side. You inputs shown here.
no, I already configured the new instance. the old one has a ton of baggage I don’t want to bring along. I’m “starting over” and trying to figure out which inputs are actually getting data. I cobbled together a call to the /system/inputs to get all the input IDs and titles. Then, looping over each input, I make a call to /search/universal/absolute with params like so:
I’m pretty sure that returns the single most recent message within the from/to params. I use that response to figure out if I need to recreate that input on the new server