After manually rotating the write index for a index, the data from that rotated index is no longer searchable/found on the Graylog Search UI.
Is this intended?
Hello && welcome!
That all depends on your settings for that index and how it relates to the search you are doing. Its really hard to give a good answer though when I don’t know anything about your settings and searches…
You can find more on how to ask questions with helpful information here and here. It includes things like posting code with the </> forum tool to make code/logs more readable and how to pull config files without including all the comments (Commented lines starting with #) Also making sure you are obfuscating any private information…
We know nothing about your setup so any relevant information you can provide including steps you have tried are very helpful for figuring out how to solve the incident!
1 Like
Graylog Version 4.2.7+879e651
Under “System > Indices”, I selected the index that I wish to rotate. In that Index page, I then click the dropdown box “Maintainence” > “Rotate active write index”.
Subsequently, I then head back to the “Search” navigation tab, and “Select streams the search should include. Searches in all streams if empty.”, I selected only the stream in charge of this index set.
Lastly, for the time range, I specify “all messages” and click “Search”
However, the data from my rotated index does not shown up.
If your index rotation is based on number of indexes, and only allows one index then the one you rotated out of would drop off and not be searchable. It’s silly to set it that way, but not impossible and since I still don’t know what your index rotation settings are (number of indexes? Number of messages? What are ALL the other settings?) I can’t make anything but wild guesses…(Don’t get me wrong, I am not saying you ARE doing this, just that I don’t’ know what you are doing because I can’t see it until you show me!)
I have also seen where time zone of index data is different than time zone of the searching browser and so messages don’t show up. That’s a wild guess too since I don’t know what you have tried or what you have searched.
Are you seeing any errors in the Graylog logs?
You can drop a screen shot of your index settings if it helps. Here is a screen shot of a test index that only holds 10 messages per index and only two indices below
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.