Index naming for large amount of log sources

Hello. We are going to index application logs from a lot of Windows application clusters, servers and ... Currently we are using following index naming:

clustername-logtype-YEAR.MONTH, for example bigwebcluster-eventlog-2017.07, bigwebcluster-iis-2017.07, ...

For every -logtype- we have elasticsearch index template. For some very loggy clusters, we also add clustername-logtype-* templates with different shard numbers.

If we want to search for some logtype in different app cluster logs, we use -logtype- pattern in kibana. For x-pack permissions we limit the access per clustertype so roleXZ has access to bigwebcluster-, ... If we want to search across all types for some cluster we use clustername- pattern.

Is this a good idea to do naming like this? Or is it better to do naming like logtype-clustername-YEAR.MONTH? Which search is faster: -logtype- or logtype-*?


That seems like the best idea.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.