I am new in Elasticsearch world so please forgive my ignorance. I have just finished new ELK installation and after logging in to Kibana it is asking me for "index pattern". If I have 10 hosts shipping their logs to ELK and I will use filebeat on 5 of them and some other solution (i.e. syslog) on the other 5 what should I put in to the "index pattern" ? Is the "index pattern" somehow related to what is sending the logs or where it is sent from ? If the former should I use "filebeat-*" as the index pattern ? If the latter -> "hostname-*" as an index pattern ?
But is the index pattern related to what is sending or where it is sent from ?
Also what about the other 5 hosts (taken from the example above) which don't use filebeat ? Is the index pattern "filebeat-*" filter them out ?
I have 10 hosts sending their logs to Elasticsearch. Five of them are using filebeat for that purpose, the rest 5 don't. Let's say I use index pattern "filebeat-*". Is it kind of filter to accept logs ONLY from the first 5 hosts and refuse logs from those without filebeat ?
Yes, but it's not recommend. We suggest having an index for each different data type. So put apache logs together, but system logs in another index and so on.
Thanks @warkolm. So keep related data together.
The data (/var/log/*) from above example comes from servers but in different way: with filebeat or without so it makes sense to keep them together anyway.
But thanks for the hint.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
