Hello to all!
Graylog journal was 100% utilized and process buffers are full with 65535 message in it. While Input and Output buffer was 0 loaded.
I looked further and determine that one of extractors on “Global beats” input took about 5 sec max time to process messages, once it was deleted - process buffers utilization dropped fast to 0-10%.
That extractor should separate to fields php-fpm access log. But messages come to “Global beats” input are not only php-fpm access logs messages and there an extra work doing by extractors as they trying extract each message receiving by “Global beats” input.
Is there a better way extract fields from messages in Graylog?
Thank you.