I would like to know what is the best approach to this.
I need to index various logs in Splunk for our web servers. These servers are running nginx, celery, supervisord, nodejs, custom application etc.. I'm thinking of creating a separate index for each of these type of logs, for example all nginx (access/error) logs go to one index, celery logs to another and so on. My reasons are, it gives me more flexibility with regards to retention policy, searches would be faster if indexname is provided, different access level if required.
I would like to know if this the best approach? How are you guys currently doing it within your environment?
Thanks
... View more