Hi guys, i am parsing syslog logs from different sources (firewal, polyphone,etc), my question is what is better, to use only one index or have multiple index (one per source)
Regards
It's difficult to say what is better without knowing more of your use case, so I will provide you the key points for you to think about so you can figure out.
The main point in this decision is the index shard that will use resources. You need to keep the shard count per node under control, otherwise the nodes will eventually suffer memory pressure. That being said:
- If you use an index per type, while you will gain a finer-grained control of retention period per type, it can potentially create a shard count per node explosion.
- If you use a single index pattern for all types, it will be easier to keep shard count per node under control, but then you need to live with a single retention period for all the types.
Additionally, checkout this article for more insights on this subject: https://www.elastic.co/blog/how-many-shards-should-i-have-in-my-elasticsearch-cluster
Hope that helps!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.