I have some code that can pull subnet info from IPplan or Solarwinds to generate 3 conf files. dynamic-dest.conf destination d_192_168_1_0 { file(/opt/syslog-ng/logs/192_168_1_0/$YEAR$MONTH$DAY-$HOUR-$HOST.log);}; dynamic-filter.conf filter f_192_168_1_0 { netmask(192.168.1.0/24);}; dynamic-logs.conf log { source(s_net); filter(f_192_168_1_0); destination(d_192_168_1_0);}; Many but not all of these subnets a specific to an application like “Cisco ASA, VMware or server" This works well for flat file archiving but when using a pattern database would it be best to have one single large patterndb or define unique ones for each area when splitting that data stream to ES ? log { source(s_net); parser(pattern_db); destination(d_es);}; OR log { source(s_net); filter(f_192_168_1_0); parser(ESXpattern_db) ;destination(d_es);}; log { source(s_net); filter(f_192_168_2_0); parser(ASApattern_db) ;destination(does);}; …