Best practice for indexing a daily log

David_Gidony · February 4, 2018, 9:12am

hi,
i have a few log files that are created daily,
i wanted to know what is the best way to ingest them,
should i create a new index with the current date for each log file, or just add them all to one big index.
for example:
i have dca.log.16.01.2018.log
dca.log.17.01.2018.log
dca.log.18.01.2018.log
dca.log.19.01.2018.log

should i create a new index every day ? or just create a index called "dca logs" and just add everything there ?
is there a limit for records in one index ? is there any advantage for splitting indexes?

what is the right way ?
i'm a noob in elk , and still trying to figure these thing up.

thanks
David

Christian_Dahlqvist · February 4, 2018, 9:13am

How large are your logs and how long do you want to keep them in the cluster?

Using time-based indices is great for managing retention, and considered best practice for log data. You do however not want a lot of small indices and shards as that can be very inefficient. It may therefore be good to use e.g. monthly indices instead or daily if your daily data volumes are low. You can find further guidance in this blog post.

system · March 4, 2018, 9:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How should I index the 100 billion log Logstash	4	350	May 25, 2018
Reasoning behind a daily logstash index? Logstash	3	2507	July 6, 2017
Elastic search Indexes Elasticsearch	4	413	March 27, 2018
Should we create New Index or Use the same index for all application logs(number of app ~ 5) Elasticsearch	4	392	January 17, 2021
Is greates store logs into one indice or store in N small indices? Elasticsearch	5	293	July 29, 2021

Best practice for indexing a daily log

Related topics