Why have different default index names for each beat?


(David Reagan) #1

Topbeat has topbeat-, filebeat has filebeat-, etc. Is there a specific reason for that? As in, it's best to do it that way? Or is it just convenient to have the default set like that?

My current practice is to shove everything into one logtstash-* index. Then I can just search away. Would searches, or creating visualizations and dashboards, be easier/faster if I had multiple index patterns?


(Mark Walkom) #2

Because they are different data "shapes", in that a file has a lot more info than a simple metric.
We recommend keeping different data types separate to stop mapping conflicts.


(David Reagan) #3

Could you expand on that a bit more? 'Cause my immediate reaction is that every type of log file is also a different "shape", so should we have apache-*, syslog-*, etc. indexes for each file?

My reason for putting everything in one index pattern is essentially that I want to see all data pertaining to alpha.blah.com when I search for beat.hostname:"alpha.blah.com" on the discover tab in Kibana. I don't think I could do that with multiple index patterns, though it's been long enough since I had multiple in my cluster that I don't remember if I even tested that...

I guess I'll put switching to multiple index patterns on my test cluster on my to do list for next week.


(Mark Walkom) #4

So use something like logstash-%{type}-...., then just set the pattern in KB to logstash-*.


(system) #5