Hi, We have around 30 Applications - each averaging 80 microservices.
I have been asked to review the Log Aggregation Solution which is.
Apps (microservices) -> Apigee -> ELK ( 6.8.0)
All data from Apigee (Event { Request, Response, KeyValueData} is sent to Logstash which then pushes all the data into One Index.
The problem I am having is some applications/services are pushing data to fields with different data types e.g.
HttpStatusCode: 200 vs HttpStatisCode:OK and many other fields which we use for aggregation, sums etc. So some apps post strings for a field whilst others post integers e.g. PaypalStatus
Since the logging is coming from Apigee, we cannot control how application send logs. Since the application are not aware of logging, since all traffic goes to Apigee.
The problem is Kibana reports/discovery will not work for all fields.
- We have Dynamic Mapping turned on.
- +- 45 Fields in conflict
Due to this, we sometimes cann t filter data on a field, since it has issues.
What is best practice around this?
- Should I create an index per Application scope ( A collection of microservices that use similar code) - This will reduce conflicts per index? - It will also equate to 20 indexes ( 20 logical groups).
- If we go with the above - All the dashboards and visualizations then need to be redone as they are coupled to one index alias. So reuse of visualisations for dashboards goes out the window. This means each team would need to design their own dashboards.
Is the current solution a good pattern or anti-pattern (There is no filebeat on the app servers etc, its all done via an api gateway - apigee).
Any advice on this is greatly appreciated.
Thx