Full text vs multi fields

mkorayem · October 23, 2017, 7:07pm

Hi,
Which is better, as an example for logs (it will be Linux, windows, network devices, UPS, cameras, etc ...)

Keep the message in one field and depend on full text search
or grok them into multiple known fields such as program, id, ssh user, failed login , etc ...

Also, make each separate type in a different index like from /var/log/secure and others from /var/log/messages or network devices in another index or make index by day and put all syslog together?

warkolm · October 25, 2017, 4:10am

It's always going to be better to break the message down into fields.

Put logs that share the same format in the same index, otherwise they should have their own.

system · November 22, 2017, 4:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.