Hi Community,
can some please tell me how the storage value of the total indices display of my graylog instances is genearted. I think I have some knowledge gap about Elasticsearch.
But when I do a summary about the single indices (see screenshot) I can’t understand how graylog gets the 414.0GiB.
I assume that rotated indices are also included in den summary?
Thanks for your help.
Sebastian
Hi @smolit ,
The value there includes open and closed indices. For indices to not be included in that number, they’d have to be deleted once they’re closed.
Hi Aaron,
thank you for your explanation.
Just that I got it right: Indices that are closed and deleted (that is my selected retention strategy) are also included in that number. Right?
Thanks
Sebastian
Deleted indices shouldn’t be included in that number. Only open/closed ones.
Ok. Now I got it. 
But I am still confused. I can’t comprehende that number.
As you can see in the screenshot the current sizes of the indices on my Graylog instance aren’t smaller than 414GiB. And as I wrote, my retention strategy is to delete closed indices.
So what could be the reason for the higher ammount of diskspace that is used by Graylog?
I am using an Elastisearch that is hosted by an other team. I asked them to check if my Graylog really uses over 400GiB disk space.
Could it be that this is a right problem on the Elasticsearch that denies me to delete indices?
Thanks
Sebastian
I got the reason.
The nuber of replicas was increased from 0 to 1. 
Sorry for that.
Sebastian
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
