Index Defaults

You can configure default settings for index sets that will apply globally for newly created sets, allowing the default values to be applied automatically upon creation.

Index set defaults can be managed via the Configurations page for existing Graylog clusters; defaults for index set initialization created for new clusters may be configured directly in the server.conf file.

Index Set Defaults Configuration

Managing defaults for existing Graylog clusters may be done in the Graylog interface by determining the desired parameters for each applicable setting.

1. Navigate to System > Configurations and select Index Set Defaults from the side menu.

2. Select Edit configuration.

• Index Analyzer: standard

  Tokenizer to use for message and full_message fields. All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, and custom.

• Shards per Index: 1

• Replicas: 0

• Index Optimization Disabled: not selected

  Disables the optimization of OpenSearch indices after index cycling. This may take some load from your data node on heavily used systems with large indices, but it will decrease search performance. The default is to optimize cycled indices.

• Max. Number of Segments: 1

  A higher number may take some load from Elasticsearch/OpenSearch on heavily used systems with large indices, but it will decrease search performance.

• Field type refresh interval: 5 minutes

• Index Rotation Configuration

  1. Select rotation strategy: Index Time Size Optimizing

     For more information on configuring this strategy, see Index Time Size Optimizing.

• Index Retention Configuration

  • Select rotation strategy: Delete

3. In the pop-up menu, you may configure your desired default settings to be applied to all newly created index sets. These settings and their default values are as follows:

4. When you have adjusted your preferred configuration values, select Update configuration to apply these settings.

Please note this configuration menu is only available for on-premise Graylog environments. Default index set configuration values for Graylog Cloud users are managed by Graylog directly.

Hint: Unless user-specified defaults are configured, the following defaults will be effective for all new index sets created: [Shards: 1] [Rotation Strategy: Time Size Optimizing - 30-40 days]. See the Graylog documentation on Time Size Optimizing for more information on this strategy.

New Graylog Cluster Index Set Initialization Defaults

New Graylog server clusters can initialize the settings for index sets with the following server configuration values. Please see the server.conf documentation for a full list of server properties, their descriptions, and example or recommended values.

• elasticsearch_analyzer
• elasticsearch_shards
• elasticsearch_replicas
• disable_index_optimization
• index_optimization_max_num_segments
• rotation_strategy
• elasticsearch_max_docs_per_index
• elasticsearch_max_size_per_index
• elasticsearch_max_time_per_index
• retention_strategy
• elasticsearch_max_number_of_indices

Warning: If you are using a pre-existing version of the Graylog configuration file, it is recommended that you review these settings before upgrading to ensure the in-database defaults are established as expected with the upgrade. Although the server.conf sample configuration file now ships with all index default example properties commented out, you may be using an older version of the file where certain index default values were present and not commented out.

Once the first Graylog server instance is started to establish the cluster, the following system index sets will be created with the specified defaults.

• Default index set

• Graylog Events

• Graylog System Events

• Graylog Message Failures

• Restored Archives

• Investigation Events (for Graylog Security ONLY; see Investigations for more details.)

• Investigation Messages (for Graylog Security ONLY; see Investigations for more details.)

Index Set Defaults Management

As noted in the Index Model documentation, you can manage your existing index sets from the Indices & Index Sets page by navigating to System > Indices.

Warning: Configuration of index set defaults may only be completed from the System > Configuration menu. Modifying the "Default index set" itself will not affect the global default values for all newly created index sets.