We’re looking for best practices for structuring our application log streams to utilize the built in ML capacities in Observabilty. Today we log everything from 30 different services with Serilog to the same datastream in elastic. We log with the Serilog formatter (ECS compatible) and tag all logs with the same event.dataset.
With this setup we seem to get little or no value out of the Anomalies and Categories parts of the solution. Also the tie in/correlation with APM is not great.
Can someone help us with advice or any best practices around how to structure the logging to get the most value from the Observability solution?
Any pointers are much appreciated 