The following are some useful tips for implementing the ELK Stack:
- To avoid any data loss and to handle the sudden spike of input load, using a broker such as Redis or RabbitMQ is recommended between Logstash and Elasticsearch.
- Use an odd number of nodes for Elasticsearch if you are using clustering to prevent the split-brain problem.
- In Elasticsearch, always use the appropriate field type for the given data. This will allow you to perform different checks; for example, the int field type will allow you to perform ("http_status:<400") or ("http_status:=200"). Similarly, other field types also allow you to perform similar checks.