.svg?alt=media&token=53895a79-2463-405c-8911-8e2f8eb3dc06)
Log Multi-Index
The Log Multi-Index feature allows users to configure and manage log indices in a structured way. It creates a unified view of similar indices, enabling efficient storage and retrieval of log data within the system.
Log indices are collections of patterns that link the log management server with the data stored in Elasticsearch. Users can define how the system interprets and displays log data by configuring index patterns. This module allows users to add, edit, or delete indices as needed.
Each index name follows a structured format based on the timestamp, which helps organize logs efficiently.
To retrieve logs for the last three days, users can select the relevant index patterns to create a comprehensive data view.
Users can use wildcard patterns to retrieve logs for multiple days or all related indices.
The multi-index generated will include default fields such as:
host.ip
host.id
host.name
Additionally, users can customize the columns displayed on the log search page for each index to ensure relevant data is easily accessible.
What do you see on the screen?
Refer to the table below for the information shown on the Multi-Index page:
Multi-Index Details | Fields
Label
Action/ Description
Search
Search for the required Index.
Name
Displays the name of the Index created
Spaces
Identify the space associated with the index
Actions
Click to delete an Index from the database
Check Box
Select multiple indices by checking the boxes to perform bulk actions, such as simultaneously deleting them.
Note: Click the up arrow next to the Name field to sort multi-indices in descending order.
Instructions to create Multi-Index
Infraon Infinity requires a Multi-Index to access the Elasticsearch data you want to explore. A data view can point to one or more indices and data streams. For example, a data view can point to your log data from yesterday or all indices that contain your data.
To add a Log Multi-Index in the log management tool, follow the steps outlined below:
Navigate to the Log Multi-Index sub-module within the Log Management module under Infraon Configuration.
Click "Log Multi-Index" in the top right corner of the page.
Provide a name for the Multi-Index.
Enter an index pattern in the designated field.
Infraon Infinity will suggest matching index names, data streams, and aliases.
You can view all available sources or limit your view to those targeted by multi-indexes.
Use wildcards (*) to match multiple sources (e.g., windows* matches windows-2024.09.03, windows-2024.09.04).
To match multiple specific sources, enter their names separated by commas without spaces (e.g., windows-2024.09.03,windows-2024.09.04).
Open the Timestamp field dropdown and select the default field to filter your data by time.
Click "Save Multi-Index" to complete the process.
Log Multi-Index View
Users can access detailed information about the Multi-Index by selecting it. This leads to a dedicated view page that provides comprehensive details and management options for the selected Multi-Index.
Multi-Index View Details | Fields
Label
Actions/ Description
Example
Index Pattern
Displays the index pattern associated with the group.
Linux*
Time Field
Shows the field used for time-based filtering of log data.
@timestamp
Set as Default
Click to make this field at default.
Delete
Allows users to remove the current Multi-Index. Exercise caution when using this option.
Edit
Opens the editing interface to modify the Multi-Index settings.
Search
Provides a search functionality to find specific fields within the Multi-Index.
@version.keyword, agent.ephemeral_id
Field Type
A filter that allows users to select and view fields based on their data type.
Available options include date, text, keyword, _id, _index, _source, boolean, and long.
Schema Type
A filter that allows users to select and view fields based on their data type.
Available options include Index and Runtime.
Refresh
Updates the view to reflect any recent multi-Index changes or associated data.
This refreshes a local multi-index field list.
Add Field
This option will allow users to include additional fields to the Multi-Index for more comprehensive log analysis.
About Field
Name
Indicated the name for the field created.
Device Type, _id, _index.
Type
Displays the type associated with the field
Keyword, date, text.
Actions
Edit
Click to make changes to the field.
Delete
This will delete the field in the Multi-Index view.
Instructions to Add a Custom Field
Users can add custom fields to the Multi-Index for more comprehensive log analysis. To create a new field:
Navigate to the Log Multi-Index View page.
Locate the "Add Filed" button in the upper right section of the page, adjacent to the refresh option.
Click this button will open the field creation interface.
In the subsequent dialog, enter the required information for the new field. Refer to the table below for details on each input field:
Create Filed Details | Fields
Label
Action/ Description
Name
Enter a name for the new field
Type
Select the field type from the drop-down menu. Options include: Keyword, Long, Double, Date, IP, Boolean, Geo Point, and Composite
Set Custom Label
(Optional) Create a label to display instead of the field name in Log Search, Maps, Lens, Visualize, and TSVB. This is useful for shortening long field names. Note that queries and filters will still use the original field name
Set Custom Description
(Optional) Add a description for the field. This will be displayed next to the field on the Log Search, Lens, and Data View Management pages
Set Value
(Optional) Set a specific value for the field instead of retrieving it from the field with the same name in _source
Set Format
(Optional) Choose your preferred format for displaying the field's value. Be aware that changing the format can affect the value and may prevent highlighting in Discover
Note: While filling out the form, users can see a preview section adjacent to the input fields. This preview updates in real-time, allowing users to see how their custom field will appear and make adjustments accordingly.
After entering all the required information, click the 'Save' button to finalize and apply your custom field configuration.
Last updated