All modules log into the same index in metricbeat - best practise?

owulff · March 27, 2017, 7:09pm

Hi there

I remember the following blog post about index vs type discussion:

Especially one statement:

Do your documents have similar mappings? If no, use different indices.

IMHO, this applies to the different modules because only a few fields match with each other. Therefore, I'm wondering how does the current approach in metricbeat really scales in terms of memory/disk usage. Of course, I could update this within logstash and route it to different indices but then all dashboards are broken. What do you recommend?

Thanks
Oli

ruflin · March 28, 2017, 2:33pm

You can already feed it now into different indices as the index name supports a format string. So you could use metricset.module for example as part of the index name. https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format-type.html#_format_string_sprintf

In general, something we are actively discussing internally. Having one index per module can also lead to shard explosion.

About the dashboards: Having it under metricbeat-{module.name}-* indices the dashboard pattern could still be metricbeat-* and this should still work.

owulff · March 29, 2017, 8:29pm

I know what you mean which shards explosion. At least it might make sense - if it's not already set - to have one shard per index.

Haven't yet migrated to 5.x so I hope it works.

Thanks
Oli

ruflin · March 30, 2017, 12:37pm

You are probably interested in this discussion: https://github.com/elastic/beats/issues/3431

system · April 17, 2017, 7:06pm

This topic was automatically closed after 21 days. New replies are no longer allowed.