I have been testing out ELK for monitoring our Windows Event Viewer logs, IIS logs and network switch logs. I have been having some serious performance issues. Not to mention when running queries I frequently get something like "Courier Fetch: 40 of 1410 shards failed.". Which upon further troubleshooting I am finding that this is due to: "nested: ExpressionScriptCompilationException[Field [cs_bytes] used in expression does not exist in mappings]" which I need to find a fix for.
My question is that is it better to separate log types out into different indexes? Such as syslog entries in one index (such as [syslog-]YYY.MM.DD), IIS logs in another ([iis-]YYYY.MM.DD) and event logs in another ([events-]YYYY.MM.DD)? Is there an "easy" way to re-index the old data all in one [logstash-]YYYY.MM.DD index to separate indexes?
The machine that I am running this on is a quad core VM with 65G of ram.
I'd recommend using a naming scheme like logstash-iis-YYYY.MM.DD, logstash-syslog-YYYY.MM.DD. There is a few advantages to this:
Logstash adds a template called logstash, which matches any index called logstash-*. There are a few optimizations in there, so by starting your index names with logstash-* they will match and have these optimizations applied.
When you have data that doesn't share the same field names or field types, you should use separate indices. To avoid field type conflicts.
From the Kibana UI, you can still use logstash-* pattern and separate index patterns for each index.
You can use logstash to re-index as Mark suggested or stream2es.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.