Full text vs multi fields

Which is better, as an example for logs (it will be Linux, windows, network devices, UPS, cameras, etc ...)

  1. Keep the message in one field and depend on full text search
  2. or grok them into multiple known fields such as program, id, ssh user, failed login , etc ...

Also, make each separate type in a different index like from /var/log/secure and others from /var/log/messages or network devices in another index or make index by day and put all syslog together?

It's always going to be better to break the message down into fields.

Put logs that share the same format in the same index, otherwise they should have their own.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.