Your use case might have several lines of business (LOB) where the Logging Analytics user typically analyzes logs for only one LOB at a time and occasionally searches across multiple or all LOBs.

In this scenario, if each LOB always has under 6 TB of logs per day, then it is suitable to use a log set string that aligns with the lines of business. For example, log sets like HR, Global IT, Finance, Shipping, Orders, and Security.

If a single LOB can reach more than 6 TB per day of log ingest, then the log sets could be defined based on a secondary aspect such as which type of function of a LOB the logs come from. For example, if the Global IT LOB expects 20 TB per day of logs to be ingested, rather than using Global IT as their log set, it may be better to use GIT-Database, GIT-Mail, GIT-Support as their log set values.

The key to selecting log sets is to align with how the data is typically analyzed. If the GIT-Mail logs are typically analyzed on their own without mixing other logs, then this log set is suitable. If you might always combine GIT-Database and GIT-Support in the same search, then having them as different log sets isn't suitable.

The use case might involve running a horizontally scalable cloud product that scales based on the number of clients.

For example, if each client's use of your cloud service requires a set of computes, databases, and networks, then a good way to organize your log sets is by these clients with the use of client name or a client identifier. This information must be accessible and must be understandable to the user who searches the logs for a specific client. In such a case, if you have clients C1, C2, C3, then those would be the log set strings you use for the logs from each client.

Typically, when debugging an issue, the operations team would search logs for a specific client as part of the support. However, occasionally they would also analyze logs across multiple or all clients. In such cases, even though most of the logs are segmented by clients, there can also be some logs that are common across all clients. For example, a central billing database could be common. Then you can mix log sets based on client names and have a log set for CentralDB.