If I want, for example, to keep only the logs from the last 30 days.
What are the advantages of using, let’s say, 31 indices with a rotation period of 1 day instead of using, for example, 7 indices with a rotation period of 5 days? (the retention strategy will be to delete older indices)
Other than the disk space (in the first case it will use less space because it will keep logs only from a maximum of 31 days, and in the second one from max. 35days), what would be some best practices for this?
If I were to look for a log error (but without knowing the timestamp), I guess it would be more complicated in the first case?
When you create a query to search for a specific message and you don’t provide any index name, is it searching in all the indices (so also in the closed ones)? example of a query: “functionName:findApples”