github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-29 01:44:36 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/data-streams/logs.asciidoc
Salvatore Campagna 0f584176ca
Rename logs index mode to logsdb (#111054)
2024-07-19 13:38:58 +02:00

52 lines
2 KiB
Text
Raw Blame History

[[logs-data-stream]]
== Logs data stream
preview::[Logs data streams and the logsdb index mode are in tech preview and may be changed or removed in the future. Don't use logs data streams or logsdb index mode in production.]
A logs data stream is a data stream type that stores log data more efficiently.
In benchmarks, log data stored in a logs data stream used ~2.5 times less disk space than a regular data
stream. The exact impact will vary depending on your data set.
The following features are enabled in a logs data stream:
* <<synthetic-source,Synthetic source>>, which omits storing the `_source` field. When the document source is requested, it is synthesized from document fields upon retrieval.
* Index sorting. This yields a lower storage footprint. By default indices are sorted by `host.name` and `@timestamp` fields at index time.
* More space efficient compression for fields with <<doc-values,`doc_values`>> enabled.
[discrete]
[[how-to-use-logsds]]
=== Create a logs data stream
To create a logs data stream, set your index template `index.mode` to `logsdb`:
[source,console]
----
PUT _index_template/my-index-template
{
"index_patterns": ["logs-*"],
"data_stream": { },
"template": {
"settings": {
"index.mode": "logsdb" <1>
}
},
"priority": 101 <2>
}
----
// TEST
<1> The index mode setting.
<2> The index template priority. By default, Elasticsearch ships with an index template with a `logs-*-*` pattern with a priority of 100. You need to define a priority higher than 100 to ensure that this index template gets selected over the default index template for the `logs-*-*` pattern. See the <<avoid-index-pattern-collisions,avoid index pattern collision section>> for more information.
After the index template is created, new indices that use the template will be configured as a logs data stream. You can start indexing data and <<use-a-data-stream,using the data stream>>.
////
[source,console]
----
DELETE _index_template/my-index-template
----
// TEST[continued]
////
Reference in a new issue View git blame Copy permalink