Best practice about index pattern definition

Houss · November 25, 2016, 6:26am

Hello,

I am creating an index for each type of logs being sent to the elasticsearch cluster (there might be like 5-6 index patterns overall). The patterns look like this : logstash-squid-%{+YYYY.MM}, or logstash-apache-%{+YYYY.MM}, etc.

I was wondering what the best practice on kibana would be when adding a pattern. Is it better to just go with one logstash-* for everything, then to add queries to filter the logs I want for the vizualisations, or should I add a pattern for each type of logs (e.g. logstash-squid-*) ? Would that make the searches, queries, and dashboard loading faster ?

Thanks for the insights !

warkolm · November 25, 2016, 7:16am

Using logstash-* means you can view everything, which is useful. Or you can go for specific ones if you don't want people to see various log sets.

It depends on your needs really.

system · December 23, 2016, 7:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.