Safely Deleting Index Sets

Would I be able to safely delete index sets to free up space via this option: Delete index?

Please see image attached,

yes, you can, you’ll obviously lose the ability to search the logs in that index, but you can delete it. If you are having storage issues, there are other ways of resolving that. But to your question. Yes, you can safely delete it.

1 Like

Thank you for your reply. On your note of other storage issues, what other ways do you recommend of resolving them?

developing a retention policy and ensuring that Graylog is configured to support the policy. For instance, if you just use the default settings when you create an index, it is set to use 20 indices before deleting the oldest one. If you look, and those 20 indices are 3 months worth of data, but you only need 1 month or 1 week, then reduce the number of indices accordingly.

Also, verify that you are not storing the message twice. if you are routing messages to a stream that is using it’s own index set, then there’s usually no need to store it in the all messages stream which by default uses the default index stream.

Leverage pipeline rules to ensure that you are not storing unnecessary data. For instance, Windows event logs typically get sent with URLs for more information and other data that isn’t needed. Use a pipeline rule to strip this data off so you are not wasting storage on it.

Also, consider buying an enterprise subscription as the archive feature is nice to have. it will allow you to set the archive option on the index and with that you can do any number of things. The archive is also compressed so there’s space saving in that. you can also transfer it off the graylog server for extended storage/retention if needed.

hth, g’luck

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.