Best practice about index pattern definition


I am creating an index for each type of logs being sent to the elasticsearch cluster (there might be like 5-6 index patterns overall). The patterns look like this : logstash-squid-%{+YYYY.MM}, or logstash-apache-%{+YYYY.MM}, etc.

I was wondering what the best practice on kibana would be when adding a pattern. Is it better to just go with one logstash-* for everything, then to add queries to filter the logs I want for the vizualisations, or should I add a pattern for each type of logs (e.g. logstash-squid-*) ? Would that make the searches, queries, and dashboard loading faster ?

Thanks for the insights !

Using logstash-* means you can view everything, which is useful. Or you can go for specific ones if you don't want people to see various log sets.

It depends on your needs really.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.