Tfw you deleted elasticsearch shards to free up space

Hi everyone,

I deleted a bunch of files in the /var/lib/elasticsearch/graylog/nodes/0/indices directory to free up space on the /var/ partition because it was 100%. Not the best idea I know but now the graylog frontend says my elasticsearch cluster is unhealthy. I tried to run the rebuild command but I don’t think it worked. Here’s what it said in the log files.

2017-06-16T19:43:16.983-04:00 ERROR [AbstractRotationStrategy] Cannot perform rotation at this moment.
2017-06-16T19:43:26.983-04:00 ERROR [MessageCountRotationStrategy] Unknown index, cannot perform rotation
org.graylog2.indexer.IndexNotFoundException: Couldn’t find index graylog_7

Is there a way to purge this elasticsearch component and start over with a fresh slate without installing on a new machine? I let the server inputs send log files without filtering them.

Don’t do this. Always use either the Graylog web interface or the Graylog REST API to delete indices managed by Graylog.

You can remove the complete /var/lib/elasticsearch/graylog/ directory to “reset” Elasticsearch. If you have more than 1 Elasticsearch node, you have to remove the data from each node.

Thanks jochen. I was able to bring the server back. I’ll have to add more disk space and really look at filtering those log files.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.