# Log Multi-Index The Log Multi-Index feature allows users to configure and manage log indices in a structured way. It creates a unified view of similar indices, enabling efficient storage and retrieval of log data within the system. Log indices are collections of patterns that link the log management server with the data stored in Elasticsearch. Users can define how the system interprets and displays log data by configuring index patterns. This module allows users to add, edit, or delete indices as needed. Each index name follows a structured format based on the timestamp, which helps organize logs efficiently. ``` Example: windows-yyyy.mm.dd ``` To retrieve logs for the last three days, users can select the relevant index patterns to create a comprehensive data view. ``` Example: windows-2024.09.03, windows-2024.09.04, and windows-2024.09.05 ``` Users can use wildcard patterns to retrieve logs for multiple days or all related indices. ``` Example: windows* groups all Windows-related indices. ``` The multi-index generated will include default fields such as: * host.ip * host.id * host.name Additionally, users can customize the columns displayed on the log search page for each index to ensure relevant data is easily accessible. ## **What do you see on the screen?** Refer to the table below for the information shown on the Multi-Index page: **Multi-Index Details** | Fields | **Label** | **Action/ Description** | | --------- | ------------------------------------------------------------------------------------------------------------ | | Search | Search for the required Index. | | Name | Displays the name of the Index created | | Spaces | Identify the space associated with the index | | Actions | Click to delete an Index from the database | | Check Box | Select multiple indices by checking the boxes to perform bulk actions, such as simultaneously deleting them. | {% hint style="info" %} **Note:** Click the up arrow next to the Name field to sort multi-indices in descending order. {% endhint %} ## **Instructions to create Multi-Index** Infraon Infinity requires a Multi-Index to access the Elasticsearch data you want to explore. A data view can point to one or more indices and data streams. For example, a data view can point to your log data from yesterday or all indices that contain your data. To add a Log Multi-Index in the log management tool, follow the steps outlined below: * Navigate to the Log Multi-Index sub-module within the Log Management module under Infraon Configuration. * Click "Log Multi-Index" in the top right corner of the page. * Provide a name for the Multi-Index. * Enter an index pattern in the designated field. * Infraon Infinity will suggest matching index names, data streams, and aliases. * You can view all available sources or limit your view to those targeted by multi-indexes. * Use wildcards (\*) to match multiple sources (e.g., windows\* matches windows-2024.09.03, windows-2024.09.04). * To match multiple specific sources, enter their names separated by commas without spaces (e.g., windows-2024.09.03,windows-2024.09.04). * Open the Timestamp field dropdown and select the default field to filter your data by time. * Click "Save Multi-Index" to complete the process. ### **Log Multi-Index View** Users can access detailed information about the Multi-Index by selecting it. This leads to a dedicated view page that provides comprehensive details and management options for the selected Multi-Index. **Multi-Index View Details** | Fields | **Label** | **Actions/ Description** | **Example** | | -------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | | Index Pattern | Displays the index pattern associated with the group. | Linux\* | | Time Field | Shows the field used for time-based filtering of log data. | @timestamp | | Set as Default | Click to make this field at default. | | | Delete | Allows users to remove the current Multi-Index. Exercise caution when using this option. | | | Edit | Opens the editing interface to modify the Multi-Index settings. | | | Search | Provides a search functionality to find specific fields within the Multi-Index. | @version.keyword, agent.ephemeral\_id | | Field Type | A filter that allows users to select and view fields based on their data type. | Available options include date, text, keyword, \_id, \_index, \_source, boolean, and long. | | Schema Type | A filter that allows users to select and view fields based on their data type. | Available options include Index and Runtime. | | Refresh | Updates the view to reflect any recent multi-Index changes or associated data. | This refreshes a local multi-index field list. | | Add Field | This option will allow users to include additional fields to the Multi-Index for more comprehensive log analysis. | | | About Field | | | | Name | Indicated the name for the field created. | Device Type, \_id, \_index. | | Type | Displays the type associated with the field | Keyword, date, text. | | Actions | | | | Edit | Click to make changes to the field. | | | Delete | This will delete the field in the Multi-Index view. | | #### **Instructions to Add a Custom Field** Users can add custom fields to the Multi-Index for more comprehensive log analysis. To create a new field: * Navigate to the Log Multi-Index View page. * Locate the "Add Filed" button in the upper right section of the page, adjacent to the refresh option. * Click this button will open the field creation interface. In the subsequent dialog, enter the required information for the new field. Refer to the table below for details on each input field: **Create Filed Details** | Fields | **Label** | **Action/ Description** | | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Name | Enter a name for the new field | | Type | Select the field type from the drop-down menu. Options include: Keyword, Long, Double, Date, IP, Boolean, Geo Point, and Composite | | Set Custom Label | (Optional) Create a label to display instead of the field name in Log Search, Maps, Lens, Visualize, and TSVB. This is useful for shortening long field names. Note that queries and filters will still use the original field name | | Set Custom Description | (Optional) Add a description for the field. This will be displayed next to the field on the Log Search, Lens, and Data View Management pages | | Set Value | (Optional) Set a specific value for the field instead of retrieving it from the field with the same name in \_source | | Set Format | (Optional) Choose your preferred format for displaying the field's value. Be aware that changing the format can affect the value and may prevent highlighting in Discover | {% hint style="info" %} **Note:** While filling out the form, users can see a preview section adjacent to the input fields. This preview updates in real-time, allowing users to see how their custom field will appear and make adjustments accordingly. {% endhint %} After entering all the required information, click the 'Save' button to finalize and apply your custom field configuration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.infraon.io/infraon-help/infinity-user-guide/infraon-configuration/log-management/log-multi-index.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.