Hello boys and girls,
I have a few questions about best practices for managing my application logs on elastic:
Is it a good idea to create an index by app and day to improve search performance?
I have logs in Json format and in my filebeat I set keys_under_root: true, if the fields added to those of filebeat are 40, can I risk getting worse elastic performance? Is it better if I map the fields manually or dynamically in this case?
As for the exceptions of my app, having these other fields in addition to those of my log (example stacktrace, message, callsite) it is a good idea to save them on a separate index or I can safely save them on the one where I also save the INFO type logs, WARN etc, without worsening performance?
Sorry for the many questions, but I would like to be sure of what I do. And if there is a guide that explains in detail how to efficiently manage application logs on elastic, it is welcome.
Thanks, I hope I was clear
Please use [ILM]https://www.elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html) for managing time based indices, like your log data.
If the data structures of your logs are similar between apps, then you can put them into the same index. If you have requirements for different access or retention controls between apps, or the structures are not the same, then use different indices.
Overall, it's better to use set mappings to optimise data structure and storage. However that can also be a bit of a rabbit hole to optimise.
Regarding the last question, I guess it depends how big your stack traces are and how often they happen. If it's a rare occurrence then just add them to the same index. That will save a tonne of complexity.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.