Still issues with Graylog Indices and the applied retention policy

The issue in this thread: Only message from the last 7 days are beeing displayed / Where are the old messages? Index/Streams Question - #8 by seroal

still exists. After switching back to the size based index, “coxxx” I again have exactly 7days of data. It seems, as if the default index set settings (P1D x Max number of indices=7) is beeing applied, even if a stream is redirecting the messages to another index-set.

Now I changed the roation strategy of the default index to 14 days to see, if that will apply to my other index aswelll…

Is this a bug? Im not quite sure, if Graylog is way to complicated as a solution.



I want to recap your configurations you made and to sum things up from the other post you made.

So, you have two indices, right?
One is called “Default Index Set” and the other one is called “co something", right?

If this is correct, then your “Default Index Set” have Rotation period of 1 day and retain 30 indices after that they are deleted.

The other index set called “co something” has Rotation SIZE of 10GB and retaining 40 indices after that they are deleted.

Is the above statement correct? If so then you should have 30 Index sets from your “Default Index Set” and 40 index sets that has 10 GB of data in each one from “co something”.

Does it look something like this?

Then you set the default Indices set to “co something”, right?
If this is correct I’m not sure where the 7 days is happening. Could you elaborate on where the configuration of the 7 Days is? maybe show a screen shot?

I looked in the other post you made, maybe I over looked where you showed your configuration made for retaining 7 days.

If the configuration is not in the Graylog GUI, then do you have it configured in some file ( i.e. elasticsearch or graylog) ?

And if this is correct can you show us? It s hard to troubleshoot issues without seeing the completed configuration files,or full messages.


