I'm trying to implement mapping for multiple users without triggering mapping conflict errors for log data. As of now we have about a 1000 users storing data in the cluster for 30 days.
Right now we're storing data in a indice per day fashion (logs-Y-M-D). We parse json data in our logs automatically and store it, some users will use the same value for example json.time="July 1st 2019, 11:04:40.870" but another user might set a timestamp json.time=1561971916.
Should we switch to an incide per user per day (1000*30 indices) or are there other options?
Something I thought of is to store the json value in a per user variable for example USERID.json.time='timevalue'.