Graylog 2.4.6 manual index backup and restore

When you do not have enterprise support closing and opening elastic search indexes can break stuff in Graylog 2.4.6.

Elastic Search Indexes Close/Open

The official documentation for Elasticsearch 2.4.6 closing and opening an index can be found here:

https://www.elastic.co/guide/en/elasticsearch/reference/2.4/indices-open-close.html

curl -XPOST 'localhost:9200/my_index/_close'

curl -XPOST 'localhost:9200/my_index/_open'

Closing an index

To close an index:

# curl -XPOST 'http://localhost:9200/graylog_900/_close'
{"acknowledged":true}

To close more than one index use * (example below closes all indexes that start with graylog_9):

# curl -XPOST 'http://localhost:9200/graylog_9**/_close'
{"acknowledged":true}

Opening an index

To open an index:

# curl -XPOST 'http://localhost:9200/graylog_900/_open'

Graylog 2.4.6 issues when restoring an index

I ran in to multiple problems after closing indexes. My biggest problem was that Grayload search suddenly wasn’t showing anything for the past 14 hours. I was receiving data just fine.

To fix this you need to rotate the index set.

Steps:

  1. Browse to menu item “System” -> “Indicies”
  2. Click “Default Index Set”
  3. Click the button “Maintenance” -> “Rotate active write index”

Once you complete the above steps you will be able to search the past 13 hours or so of data. If you are restoring a lot of indexes i recommend “Maintenance” -> “Recalculate index ranges”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.