Graylog: Understanding indices

This documentation is part of the Manage retention guide. You can view the complete guide here: How to configure log retention.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customisable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

Before setting your retention policy, it is important to understand how indices used by Graylog and OpenSearch function. Think of indices as physical containers. Graylog "opens" a container (an index) and places incoming messages inside it. When the quota assigned to that container is exceeded, the container is closed, placed on a shelf, and a new container is started for subsequent messages.

You can set this quota using different criteria:

  1. A number of messages: "Keep 20 million messages per container, then start a new one."
  2. A time limit: "Use a container for 10 days, then switch to a new one."
  3. A size limit: "Store 20 GB per container, then move on to a new one."

A maximum number of containers that can be stored on the shelf is also defined. If this number is exceeded, the oldest containers are automatically deleted. For example, if you set a maximum of 20 containers and have 22 on the shelf, the 2 oldest containers will be removed.

In this analogy, the containers represent the indices, the shelf is OpenSearch, and the maximum number represents the permitted number of indices.