I am currently on Elasticsearch version 8.16 and considering using the LogsDB index mode for its benefits, particularly the improved querying speed and reduced storage footprint with the new sorting feature (up to 20%, based on the Elastic blog). However, I understand that starting with version 8.17, the synthetic _source feature is only available with an Enterprise license.
Since I do not want to risk a sudden increase in log storage size after enabling the logsdb and later upgrading to 8.17 (if we do not have a valid Enterprise license), I want to know:
Is it possible to enable LogsDB mode to take advantage of sorting-based storage savings and faster queries but disable synthetic _source? (Cause I didn't find any setting for this)
Is there any recommended approach to avoid potential issues when upgrading from 8.16 to 8.17 while using LogsDB, particularly without an Enterprise license?
Yes, you can use logsdb without synthetic_source, I don't think that a specific setting exists, it will use synthetic_source if you have an enterprise license and the normal _source if you don't.
@leandrojmp Thanks for the fast reply. This is something that I am concerned about. Using the logsdb index mode, I will benefit from the synthetic_source feature in my Elastic cluster (version 8.16) if there is no setting to disable this, which, together with smart sorting, provides around 50-60% storage savings.
However, if I upgrade to version 8.17 or later in future, the synthetic_source feature will be ignored as I don't have the required license. This will result in a big reversion of the storage savings, significantly impacting cluster storage occupancy.
For instance, we are ingesting around 300 GB of logs per day, so a 20-30% reversion would be significant
Great questions, but I think we are all perhaps missing something.
LogsDB in 8.16 is in Technical Preview mode... we would never suggest that you use this in production, especially at the scale you are working with. Technical Preview means that the capability is subject to change..... including breaking changes which it has / is effectivly with the 8.17 GA / licensing change.
The documentation literally says this
Logs data streams and the logsdb index mode are in tech preview and may be changed or removed in the future. Don’t use logs data streams or logsdb index mode in production.
So we / I would suggest that you not enable logsdb in production before you upgrade to 8.17 in the first place.
@leandrojmp@Behnam.R
To close it out a bit...
Turns out there is a default value and setting for non synthetic stored etc.. and yup it needs to be better documented
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.