Best practices for managing application logs

Hello boys and girls,
I have a few questions about best practices for managing my application logs on elastic:

  • Is it a good idea to create an index by app and day to improve search performance?
  • I have logs in Json format and in my filebeat I set keys_under_root: true, if the fields added to those of filebeat are 40, can I risk getting worse elastic performance? Is it better if I map the fields manually or dynamically in this case?
  • As for the exceptions of my app, having these other fields in addition to those of my log (example stacktrace, message, callsite) it is a good idea to save them on a separate index or I can safely save them on the one where I also save the INFO type logs, WARN etc, without worsening performance?
    Sorry for the many questions, but I would like to be sure of what I do. And if there is a guide that explains in detail how to efficiently manage application logs on elastic, it is welcome.
    Thanks, I hope I was clear

Welcome to our community! :smiley:

Please use [ILM] for managing time based indices, like your log data.
If the data structures of your logs are similar between apps, then you can put them into the same index. If you have requirements for different access or retention controls between apps, or the structures are not the same, then use different indices.

Overall, it's better to use set mappings to optimise data structure and storage. However that can also be a bit of a rabbit hole to optimise.

Regarding the last question, I guess it depends how big your stack traces are and how often they happen. If it's a rare occurrence then just add them to the same index. That will save a tonne of complexity.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.