Ekanite indexing flow

Log data as it flows through Ekanite at indexing time.

Assuming the time now is between 2pm and 3pm, most log data will go into the index for that time range. However, it is always possible that some log data is for time ranges outside of “now”. Once the index is determined for a particular event (via the event’s time), the actual shard is determined by the event ID (via a hash-mod function).

This particular diagram shows 3 bleve “shards” per index, but that number is configurable.

