Best practice about index pattern definition

Houss · November 25, 2016, 6:26am

Hello,

I am creating an index for each type of logs being sent to the elasticsearch cluster (there might be like 5-6 index patterns overall). The patterns look like this : logstash-squid-%{+YYYY.MM}, or logstash-apache-%{+YYYY.MM}, etc.

I was wondering what the best practice on kibana would be when adding a pattern. Is it better to just go with one logstash-* for everything, then to add queries to filter the logs I want for the vizualisations, or should I add a pattern for each type of logs (e.g. logstash-squid-*) ? Would that make the searches, queries, and dashboard loading faster ?

Thanks for the insights !

warkolm · November 25, 2016, 7:16am

Using logstash-* means you can view everything, which is useful. Or you can go for specific ones if you don't want people to see various log sets.

It depends on your needs really.

system · December 23, 2016, 7:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana and index patterns performance Kibana	4	757	December 26, 2019
What is the difference between :logstash- & logstash-* Logstash	8	690	November 30, 2017
Help in index pattern Kibana	4	738	February 27, 2018
Best practice in elasticsearch idnex Elasticsearch	6	277	September 15, 2021
Defining index patterns Kibana	3	386	September 12, 2018

Best practice about index pattern definition

Related topics