Physical Indexes
How to create and use Physical Indexes to improve query performance and organize specific data in Last9
What are Physical Indexes?
Physical Indexes allow you to create specialized query spaces for specific log data based on custom filters you define. By narrowing the search scope, these indexes significantly improve performance for queries targeting specific data subsets.
While Last9’s core value comes from providing correlated telemetry across your entire dataset, there are scenarios where isolating certain data can improve performance and workflow efficiency.
When to Use Physical Indexes
Physical Indexes are most valuable when:
-
Team or Environment Isolation: Separate production from staging data, or create team-specific indexes in organizations with siloed responsibilities.
-
Service-Specific Workflows: Create separate indexes logs from services that don’t typically require correlation within themselves or with other systems (like CDN logs, proxy logs).
-
High-Volume Data Management: Create dedicated indexes for extremely high-volume services that might otherwise impact query performance.
-
Specialized Analysis: Support focused workflows for security events, authentication logs, or error tracking.
Creating a Physical Index
- Navigate to Physical Indexes and click “New Physical Index”
- Define filters to determine which logs will be included:
- Logs are currently the only supported telemetry type
- Configure filter conditions using attributes or resource attributes
- Click on “View Logs” to confirm your filter works as expected
- Specify index details:
- Retention period matches your organization’s default retention, but can be changed by contacting support
- Give a descriptive name (cannot be changed after creation)
- Add an optional description (see naming best practices)
- Choose whether to also write logs to the default index (see billing impact in important considerations)
- Click “Create Physical Index”
Index Naming Best Practices
While there are no strict rules for naming indexes, consider these patterns for clarity and organization:
- Environment-based:
prod-logs
,staging-logs
,dev-logs
- Team-based:
team-payments
,team-auth
,team-frontend
- Service-based:
service-cdn
,service-api
,service-db
- Purpose-based:
security-events
,error-logs
,performance-metrics
Important Considerations
-
Billing Impact: Logs stored in multiple indexes (both a Physical Index and the default index) are counted separately for billing purposes. Last9 billing is based on events stored, not deduplicated across indexes.
-
Correlation Trade-offs: Physical Indexes create separate query spaces. While this improves performance for targeted queries, it may limit correlation capabilities across your entire dataset.
-
Retention Periods: Physical Indexes share the same retention period as your organization’s default index. To modify retention for a specific index, contact support.
-
Filter Design: Create precise filters to include only the data you need. Overly broad filters may reduce the performance benefits of separate indexes.
Example Use Cases
Environment Separation
Create separate indexes for production and non-production environments:
Filter: resource.kubernetes.namespace.name == "production-*"Name: prod-environment
Team-Specific Indexes
Isolate data for team-specific workflows:
Filter: resource.service.name IN ("payment-service", "billing-service", "invoice-service")Name: team-finance
High-Volume Service Isolation
Create dedicated indexes for services generating large volumes of logs:
Filter: resource.service.name == "cdn-edge"Name: high-volume-cdn
Security Monitoring
Isolate authentication and security events:
Filter: attributes.log.level IN ("ERROR", "CRITICAL") AND attributes.event.type IN ("auth", "security")Name: security-events
Troubleshooting
Please get in touch with us on Discord or Email if you have any questions.