How do you handle different source types?
Do you create an index for every type of source i.e. an index called "unix" for all the logs coming from Linux, Solaris and Unix systems and an index "windows" for all Windows clients an servers.
That was my first impulse ...
Or do you receive everything into a "main" index and separate everything in the searches by appropriate search statements?
Generally, put things in the same index unless you have a specific reason to do otherwise and understand how any why you would want it. The general reasons might include:
Note that while the above are possible reasons or concerns, it doesn't mean that simply using more indexes is a solution, e.g., putting every single source into a different index will often make performance worse, or might make it better.
Generally, put things in the same index unless you have a specific reason to do otherwise and understand how any why you would want it. The general reasons might include:
Note that while the above are possible reasons or concerns, it doesn't mean that simply using more indexes is a solution, e.g., putting every single source into a different index will often make performance worse, or might make it better.