Process buffers utilization is 100%

Graylog journal was 100% utilized and process buffers are full with 65535 message in it. While Input and Output buffer was 0 loaded.

I looked further and determine that one of extractors on “Global beats” input took about 5 sec max time to process messages, once it was deleted - process buffers utilization dropped fast to 0-10%.

That extractor should separate to fields php-fpm access log. But messages come to “Global beats” input are not only php-fpm access logs messages and there an extra work doing by extractors as they trying extract each message receiving by “Global beats” input.

Is there a better way extract fields from messages in Graylog?

yes the better way would be using the processing pipelines. As you are able to decide granular what messages should what normalization run on.

Will try, thank you!

