Hello,
I have a design-related conundrum, and I'm hoping somebody might have already come across the same problem.
We have set up ELK to ingest logs from a variety of sources. These come in different types (such as linux logs, nginx logs, etc) -- I will call these groups. Metrics will be parsed out of these logs. A minority of metrics are common and will be normalised across all groups, but most of them will be group-specific.
We have as a requirement to have visualisations of these metrics. norms are not required on these fields, but I believe doc_values are (see below). The number of groups is expected to grow as the service gains acceptance in our enterprise.
I'm not sure how to best set up our indexing strategy, though. I have the following alternatives:
-
Use a separate index series for each group (for example
log-linux-*,log-nginx-*). This produces dense data in each index, however the number of shards/indexes on my hot nodes will scale with the number of groups -- which may become a problem in the future. -
Use a common index for all data. This will produce a sparse data set but the number of shards will be minimal. I'm not sure how big of a problem this is, as far as I'm aware the only real problem is wasted disk space, but maybe you are aware of others?
-
Use a common index for all data, turning off
doc_valuesfor all fields except the normalised minority. I'm not sure if this will result in the metrics being unusable for visualisations. As far as I understand thedoc_valuesare needed for all aggregations, so even an average would not work which would make a simple line graph over time impossible. Please correct me if I'm wrong. -
Some other strategy I haven't thought of.
I appreciate any thoughts or pointers you might have.
//Dan