Handling different flows in data streams

Zain_Ul_Abideen · August 22, 2024, 7:30am

Hello,

I have been using data streams for my business flow logs, each flow has the different log structure. I have couple of solutions in mind:

Having same structure for each flow and keep stringified version of log object in particular key. For example:

{
                tag: '--ELK--',
                function: '<function name>',
                options: <stringified object>
}

this will inefficient in searching

Having same structure for each flow and keep nested object of log object in particular key. For example:

{
                tag: '--ELK--',
                function: '<function name>',
                options: <JSON object>
}

this will add complexity in writing in the indices as lucene index does not have nested object support.

Is there a way to control the index creation in the data stream in such a way that index could be created as per flow for example: if I have login, signup, and logout flows, in my logs-datastream if I could create different index in the data stream for each flow so that each index would have it's own structure.

Kindly suggest. TIA

arm · August 22, 2024, 7:36am

Another thing I can add over here is parsing the data as fields and values,

{
   "key": "property_name",
   "value": "property_value"
}

Topic		Replies	Views
Data Streams vs "Traditionally" Elastic Indexes Elasticsearch	7	2923	October 10, 2022
How to configure datastream and ILM to keep logs for specific time Logs ilm-index-lifecycle-management	3	366	June 2, 2021
Indexing best practice Elasticsearch	4	447	December 23, 2020
Best practice for managing many log formats with data streams Elasticsearch	5	82	July 22, 2024
Elasticsearch ILM Policies Elasticsearch ilm-index-lifecycle-management	1	230	October 21, 2023