Hello,
Im using Graylog on a single node, so 1 shard for each indices…
I have a lot of application logging on it.
Right now, I have 4 indices set depending of Time Period Rotation. But It’s hard to mesure size of each application log.
I would like to create 1 index per application --> 50 index/month (with rotation of 2M)
What is best approch: Keep only 10 index with ~60 000 000 and 100 000 000 message in each index, or May I use 100 index with divided data?