OK thanks. So what is explained in linked article is wrong right ? Oversharding is not really necessary as balance/rebalance happen despite the number of primary shard per index and the number of nodes (correct me if I'm wrong)
Use case is log collection for 600GB/day. We would like a retention of 1 month in HOT and 6 in COLD nodes
Daily volume by data type (I think to create one daily index by data type and rotate firewall logs every 50G using ILM - you think it's a good idea ?) :
- Firewall : 300G
- Web : 60G
- Unix : 30G
- Windows : 50G
- Switch : 10G
- Wireless : 5G
- Database : 4G