Hi,
We use Elasticsearch for logs, and we're currently:
- adopting the rollover pattern
- transitioning to a single index for all our services (versus the ~30 or so that we have currently)
- implementing ECS
Rollover seems to be straightforward / working well, and the single index seems like it will be do-able (although a lot of work).
My question is: what's the best practise with regard to mapping updates?
I've read that zero-downtime mapping updates are much easier using write aliases, but I'm not sure exactly how to set that up.
I'm presuming that people usually just have a service / cron job that reindexes historical indices; is there anything to be aware of there when also doing rollovers, or is it all just smooth sailing?
I'm hoping that adopting ECS will mean that even if we have a period of time where searches are being carried out across inconsistently-mapped indices, the common schema will reduce the number of 'failed shards' messages when searching...
Any thoughts / advice welcomed!
Thanks 