You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem?
Some of the existing system indices necessary for security analytics work are created with a 5p/1r shard strategy. The log types config is created with a 5p/0-allr strategy. Both of these have issues:
5p/1r - depending on the data node count, this can lead to shard skew. For some of the more heavily queried indices, such as the detector queries index, this can lead to hot nodes.
5p/0-allr - for large clusters, this results in a very high shard count. Taking a 20 node cluster as an example, this index would create 100 shards
What solution would you like?
System indices should use a 1p/0-allr strategy. This allows each node to hold a copy of the entire index's data so any queries against these indices can be executed on the local node, improving performance and avoiding skew. Rollover should continue to be used for indices that can grow larger than a single shard should be.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem?
Some of the existing system indices necessary for security analytics work are created with a 5p/1r shard strategy. The log types config is created with a 5p/0-allr strategy. Both of these have issues:
What solution would you like?
The text was updated successfully, but these errors were encountered: