Restoring a Graylog Archive

Hello all,

I have never tested an archive restore and started one yesterday. After 21 hours, it appears to only be 1/10th of the way done, according to the Enterprise/Archives web interface. I was wondering if this is a normal amount of time it should be taking? It seems like it should be a little quicker, but it may be my setup.

I chose one of my smaller archives for testing. The archive is 1.2 GB compressed (17.8 GB uncompressed).

My server specs are:
• VMWare VM
• 8 CPUs
• 12 GB Memory
• OS - Ubuntu Server 18.04.6 LTS
• Standalone Graylog Instance
• Graylog 4.2.7 Enterprise
• ElasticSearch 6.8.23
• Java - OpenJDK 1.8.0_312
• MongoDB 4.0.28

I have searched online but have come up with no answer, I was hoping someone might know. Thanks.

Hello,

I tested a small index as shown below, it took 2 seconds. I realize this is smaller then yours.

image1589×549 45.6 KB

To give you a better idea this will depend on how much logs are ingested per second, what time of day is this taking place, the amount of resources elasticsearch is using all of this could affect the amount of time it takes for archiving.

When a node is compressing/ uncompressing files this will take good sum of CPU.
I would look into log files also

By default archives are gzip compressed. The compression ratio is high, but it is slow.
You might consider using e.g. Zstandard, which is much faster.