What's the best for Eleasticsearch ? (managment of index)

andrieuxa · September 26, 2017, 12:21pm

Hi,

First of all, i'm sorry if my english is not totaly correct.

I have a question on Elasticsearch about the management of index.

My question : For Elasticsearch, it's better : manage a lot index with small size or manage few index with bigger size ?

At the moment, we using ELK for centralize servers logs.

every day an index is created for each application/service.

Exemple :

postfix-2017.09.26
apache-2017.09.26
glpi-2017.09.26
...

With that, I have many more than 1000 index in my ELK.

Would not it be better for Eleasticsearch to manage everything in a single index for the day ?

log-2017.09.26
log-2017.09.27
....

Thank you for your help

AA

Christian_Dahlqvist · September 26, 2017, 12:23pm

Having a lot of very small shards and indices can be very inefficient, so consolidating into fewer larger indices will most likely allow to to handle more data in the cluster.

andrieuxa · September 26, 2017, 2:47pm

Thank you very much, this helped me to understand how to handle shards and indexes.

AA

system · October 24, 2017, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.