We're planning to migrate from single daily index to many indices in order to implement granular access policies.
I.e. instead of logstash-DD.MM.YYYY we're going to have about 40 daily indices like logstash-applicaitonXX-DD.MM.YYYY.
Should we add new index templates per application in addition to the default "logstash-*" in order to avoid scanning unnecessary indices?
That sounds like a very large number of indices and shards given the cluster size and data volume. The default Logstash index template applies to indices starting with logstash-, so would apply to all indices following the naming convention you outlined.
Thank you!
So if we'll create new index templates ("logstash-nginx-*" and so on) it should decrease number of indices involved in search?
Or there is no choice and we should decrease number of indices?
The index template does not affect which indices that are included in a search, only how the data is mapped. If the current Logstash mappings are fine and you do not need to optimise mappings per application, you can continue using the default one.
In order to limit the indices being queried, you need to create more specific index patterns in Kibana and use these when you build dashboards. This also applies if you are querying in other ways. Having that many indices and shards is going to result in overhead, as each shard requires memory and file handles, so it is not a given that your query performance will improve, especially if you need to hit a lot of shards.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.