A tag field field should be easy for a user to use at the start of their query (the first field in their query)

A tag field should be able to be used in more than one search

Choose a tag and field value that will assist with the distribution of data across segments and also enable effective searching and selection. For example, when storing security logs, suitable tags might be the log source, entry type and host, as these are the most likely fields to be used when searching and filtering for data.

Avoid using fields or values that have a high cardinality. For example, don't use a tag value with more 1000 unique values as this will increase the number of segments and memory required to manage them.

The system default for the maximum number of datasources is 10,000 per repo. This limit implies a notional maximum number of reps in the cluster of between 10 and 20 repositories due to the management overhead.

When there are a higher number of tags, make use tag groupings to create a fixed number of hash the tag groups across the distinct values. Tag groups create a distinct hash value for groups of tags improving searches for specific values.

#host

#source

#environment

#applicationName

#serviceType

#eventType