How to find unused inputs / streams

for each input, how can I find the most recent message using the API? I’m trying to do a migration and want to avoid recreating inputs in the new system if I can validate they aren’t really in use. I figure if an input hasn’t been written to in X months, I’m probably safe to assume it isn’t in use.

I’m sure there’s an API way to do this, but the explorer is hard to grok

Hello && Welcome

MongoDb holds all the metadata, ( i.e. Inputs, streams, alerts, notification, etc…). So long as the old MongoDb is the same as the new MongoDb version you could do a Dump and SCP.


Execute Mongo Dump

mongodump --db graylog  -u mongo_admin

Copy Database to new system.

scp -r dump user@

Once completed execute mongorestore on new server

mongorestore  dump/

Restart Graylog service

sudo  systemctl start graylog-server

Note make sure you old Graylog configuration is the same as the new one.
Just an Idea

EDIT: as for the status of inputs If you navigate to so system/nodes and click the API browser button, upper right side. You inputs shown here.

There are more API’s for inputs depending on what you want.
Is this what your referring to?

no, I already configured the new instance. the old one has a ton of baggage I don’t want to bring along. I’m “starting over” and trying to figure out which inputs are actually getting data. I cobbled together a call to the /system/inputs to get all the input IDs and titles. Then, looping over each input, I make a call to /search/universal/absolute with params like so:

const params = {
      query: `gl2_source_input:${}`,
      from: `2021-07-01T00:00:00.000Z`,
      to: `2022-02-04T23:00:00.000Z`,
      limit: 1,
      offset: 0,
      fields: `timestamp`

I’m pretty sure that returns the single most recent message within the from/to params. I use that response to figure out if I need to recreate that input on the new server

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.