Understanding My Default Index config

This is my default index config and at the top , it shows more documents than my setup should allow (663 mil vs 400mil). Can someone explain that to me?


If you you click into that index set… what does it say for the breakdown of the individual indices?

Perhaps you had a different configuration originally, say 20mil per and 40 max indices? If so, it will eventually normalize to around 400million, while it deletes the older indices with the larger number of messages.

That’s just a guess though.

Thanks for the response.

It appears my Default Index is not rotating. I have 20 Indices & 4 shards, and index rotation set for 20,000,000 docs. When I click on the default index, it reads that I currently have 1 indice with 1,110,000,000 messages under management - Current write-active index is graylog_0. Why didn’t this rotate to graylog_1 after 20,000,000 messages? Where do I find this information?

hmmm… not sure why it wouldn’t have rotated… All I can suggest is doing a manual rotation and then seeing what happens. There is a way to set the debug log level to add some information into the logs with regards to the indices and the rotation of them, but for the life of me, I can’t remember it. I’ll dig through my notes and see if I can find it.

FWIW, you could always create a new index and make that your default.

