Hi we are starting to index our applications logs into Elastic search using 5.4
All our logs have obviously common fields like time stamp, threads, log level etc...
But the log message is where it each log is different. We are storing the log message as json so we can index and aggregate on it as well.
The question is if each application has different "message" should we index all applications in the same index or use 1 index per application.
I'm assuming if we use 1 index for all logs we will have sparse fields on the message part. Does that matter?
If we go down the route of 1 log 1 index, how can we correlate say between the API gateway log and the microservice log.