If all of the other fields are truly similar, then I would put all in one index. Sparse fields is a consideration, but it would be the same if not worse with multiple mapping types per index.
As a point to ponder: starting in Elasticsearch 6.0, only one mapping type per index will be supported.
It depends on the number of log messages generated by each application per day and how you want to handle it. Here are a few scenarios that you might want to consider
how long do you want to keep the log messages per application?
how often do you query/aggregate info per application?
does the message field has text in one language? do you need to support multi-language search?
Here are my suggestions regarding indexing data
If you want to use 1 index for all log messages, I suggest to try / where is the document type used by elasticsearch
If you want to use 1 index for each application, you can name the index like log-, this will allow you to search for info per index using log- as an index name or use the alias "logs" that points (or mapped) to all log- indices. In kibana, you can also use "log-*" to search for info in all indices with "log-" prefix
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.