Single index or multiple index
Question
My environment architecture is I have 15 server. The details as below
Group 1 (Standalone)
- server 1 (2 app)
- server 2 3 app)
- server 3 (2 app)
- server 4 (3 app)
Group 2 (master and slave)
- server 5 master (2 app)
- server 6 slave (2 app)
Group 3 (master and 2 slave)
- server 7 master (3 app)
- server 8 slave (3 app)
- server 9 slave (3 app)
Group 4 (1 master 5 slave)
- server 10 master (1 app)
- server 11 slave (1 app)
- server 12 slave (1 app)
- server 13 slave (1 app)
- server 14 slave (1 app)
- server 15 slave (1 app)
Each application have 15 -20 logs
What is the best way in creating the index in logstash?
Is below better for index pattern app_name-log_name-YYMMDD
Later i want to visual in Kibana in below form table panel form consist of time, message based on respective log name
The below is data for a sinngle log. other log have simillar pattern but different data. i want to dispaly only for single log show single table
1 answers
solution1
0 2021-08-22 21:02:33
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#_writing_to_different_indices_best_practices has a good starting point about creating custom index names. In general, I would think about combining into a single index what has both similar lifecycle (keep the data for 30 days for example) and similar structure (most of the same fields). As long as you have a field for the app, you can filter on that and it will work just as well.
Also, I'd strongly recommend to use ILM to get evenly sized indices rather than what happens with a daily index pattern.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.