Hello everyone, I would like to ask about the generation of indices.
I have noticed that in the logstash output in many example cases it is usually written:
output {
elasticsearch {
hosts => ["x.x.x.x"]
index => "EXAMPLE-%{+YYYY.MM.dd}"
}
}
I emphasize that the date is placed on the name. In this way day by day it will generate a new index. Is not better to have only one index? Why is this done?
Depending on your partitionning strategry, indices can be one, daily, weekly, monthly .....
The most efficient way to delete data is to drop an entire index. So if you want to keep 30 days of data it is fast to delete the oldest index. If you used a single index then you would need to delete using a query, which is far more expensive.
There are also reasons to keep different document types in different indexes, because elasticsearch does not handle sparse datasets well (although it is much improved in V7 I believe).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.