Hello. We are going to index application logs from a lot of Windows application clusters, servers and ... Currently we are using following index naming:
clustername-logtype-YEAR.MONTH, for example bigwebcluster-eventlog-2017.07, bigwebcluster-iis-2017.07, ...
For every -logtype- we have elasticsearch index template. For some very loggy clusters, we also add clustername-logtype-* templates with different shard numbers.
If we want to search for some logtype in different app cluster logs, we use -logtype- pattern in kibana. For x-pack permissions we limit the access per clustertype so roleXZ has access to bigwebcluster-, ... If we want to search across all types for some cluster we use clustername- pattern.
Is this a good idea to do naming like this? Or is it better to do naming like logtype-clustername-YEAR.MONTH? Which search is faster: -logtype- or logtype-*?
Thanks.