You can configure default settings for index sets that will apply globally for newly created sets, allowing the default values to be applied automatically upon creation.
Index set defaults can be managed via the Configurations page for existing Graylog clusters; defaults for index set initialization created for new clusters may be configured directly in the server.conf file.
Index Set Defaults Configuration
Managing defaults for existing Graylog clusters may be done in the Graylog interface by determining the desired parameters for each applicable setting.
-
Navigate to System > Configurations and select Index Set Defaults from the side menu.
-
Select Edit configuration.
-
Index Analyzer: standard
Tokenizer to use for message and
full_messagefields. All supported analyzers are:standard,simple,whitespace,stop,keyword,pattern,language,snowball, andcustom. -
Shards per Index: 1
-
Replicas: 0
-
Index Optimization Disabled: not selected
Disables the optimization of OpenSearch indices after index cycling. This may take some load from your data node on heavily used systems with large indices, but it will decrease search performance. The default is to optimize cycled indices.
-
Max. Number of Segments: 1
A higher number may take some load from Elasticsearch/OpenSearch on heavily used systems with large indices, but it will decrease search performance.
-
Field type refresh interval: 5 minutes
-
Index Rotation Configuration
-
Select rotation strategy: Index Time Size Optimizing
For more information on configuring this strategy, see Index Time Size Optimizing.
-
-
Index Retention Configuration
-
Select rotation strategy: Delete
-
-
In the pop-up menu, you may configure your desired default settings to be applied to all newly created index sets. These settings and their default values are as follows:
-
When you have adjusted your preferred configuration values, select Update configuration to apply these settings.
Please note this configuration menu is only available for on-premise Graylog environments. Default index set configuration values for Graylog Cloud users are managed by Graylog directly.
Shards: 1] [Rotation Strategy: Time Size Optimizing - 30-40 days]. See the Graylog documentation on Time Size Optimizing for more information on this strategy.
New Graylog Cluster Index Set Initialization Defaults
New Graylog server clusters can initialize the settings for index sets with the following server configuration values. Please see the server.conf documentation for a full list of server properties, their descriptions, and example or recommended values.
elasticsearch_analyzerelasticsearch_shardselasticsearch_replicasdisable_index_optimizationindex_optimization_max_num_segmentsrotation_strategyelasticsearch_max_docs_per_indexelasticsearch_max_size_per_indexelasticsearch_max_time_per_indexretention_strategyelasticsearch_max_number_of_indices
server.conf sample configuration file now ships with all index default example properties commented out, you may be using an older version of the file where certain index default values were present and not commented out.
Once the first Graylog server instance is started to establish the cluster, the following system index sets will be created with the specified defaults.
-
Default index set
-
Graylog Events
-
Graylog System Events
-
Graylog Message Failures
-
Restored Archives
-
Investigation Events (for Graylog Security ONLY; see Investigations for more details.)
-
Investigation Messages (for Graylog Security ONLY; see Investigations for more details.)
Index Set Defaults Management
As noted in the Index Model documentation, you can manage your existing index sets from the Indices & Index Sets page by navigating to System > Indices.
