Hi all,
The question first : ) Do Kibana time-based searches depend on the index pattern at all?
The context: I have a log cluster, where logs are indexed in indexes named logstash-. I would like to merge a number of indexes into one, to decrease the number of shards.
One option is simply to use the Shrink API, which is not really helpful in this case, because of the shard relocation which needs to take place. Due to the load on the cluster, it takes too long.
Another option is to "manually merge" a number of indexes, e.g. merge 7 daily indexes into 1 week index. That sounds like a nice plan, but I have a concern that searches might not work as expected, if ELK uses the index pattern to somehow optimize the search.
So, does it happen, i.e. does Kibana use the date info in index names, to optimize the search somehow?
Thanks in advance!