Merge pull request #5402 from Security-Onion-Solutions/TOoSmOotH-patch-6

Enable index sorting by default but allow it to be disabled

salt/elasticsearch/templates/so/so-common-template.json

@@ -1,3 +1,4 @@
+{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %}
 {
   "index_patterns": ["so-*"],
   "version":50001,
@@ -8,8 +9,10 @@
     "index.refresh_interval":"30s",
     "index.routing.allocation.require.box_type":"hot",
     "index.mapping.total_fields.limit": "1500",
+{%- if INDEX_SORTING is sameas true %}
     "index.sort.field": "@timestamp",
     "index.sort.order": "desc",
+{%- endif %}
     "analysis": {
       "analyzer": {
         "es_security_analyzer": {