Graylog 2.4.6 manual index backup and restore

Steve Stonebraker
February 26, 2019

When you do not have enterprise support closing and opening elastic search indexes can break stuff in Graylog 2.4.6.

Elastic Search Indexes Close/Open

The official documentation for Elasticsearch 2.4.6 closing and opening an index can be found here:

https://www.elastic.co/guide/en/elasticsearch/reference/2.4/indices-open-close.html

curl -XPOST 'localhost:9200/my_index/_close'

curl -XPOST 'localhost:9200/my_index/_open'

Closing an index

To close an index:

# curl -XPOST 'http://localhost:9200/graylog_900/_close'
{"acknowledged":true}

To close more than one index use * (example below closes all indexes that start with graylog_9):

# curl -XPOST 'http://localhost:9200/graylog_9**/_close'
{"acknowledged":true}

Opening an index

To open an index:

# curl -XPOST 'http://localhost:9200/graylog_900/_open'

Graylog 2.4.6 issues when restoring an index

I ran in to multiple problems after closing indexes. My biggest problem was that Grayload search suddenly wasn’t showing anything for the past 14 hours. I was receiving data just fine.

To fix this you need to rotate the index set.

Steps:

  1. Browse to menu item “System” -> “Indicies”
  2. Click “Default Index Set”
  3. Click the button “Maintenance” -> “Rotate active write index”

Once you complete the above steps you will be able to search the past 13 hours or so of data. If you are restoring a lot of indexes i recommend “Maintenance” -> “Recalculate index ranges”

Tags: , , , ,