1

According to http://docs.graylog.org/en/1.3/pages/index_model.html, graylog2 deletes old indicies based on the "elasticsearch_max_number_of_indices".

Why can't graylog2 allow no. of indicies to grow?

Also, according to the same page above,

You have configured the maximum number of indices in your graylog.conf (elasticsearch_max_number_of_indices). When that number is reached the oldest indices will automatically be deleted. The deleting is performed by the graylog-server master node in a background process that is continuously comparing the actual number of indices with the configured maximum

graylog-server deletes the indicies continuously so if I were to restore and old index when we're already at the max elasticsearch_max_number_of_indices, will this push out one of the existing one?

David C
  • 123
  • 6

1 Answers1

1

The answer is simple: to save space and memory. If you kept everything, you would run out of space at some point. Every index also requires a certain amount of memory so having more indices open will cause the cluster to run out of RAM eventually. This function is just a simple way to configure how much space you want graylog to take. If you want to keep more indices, simply increase the number of maximum indices.

The indices are numbered sequentially, and you can restore an older index and access it if you really have to.

mzhaase
  • 3,778
  • 2
  • 19
  • 32