From 6dbe0645e5007d23b21747eefad91354096eee8c Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Mon, 11 Nov 2024 13:51:48 -0600
Subject: [PATCH] use auto_expand_replica, configure ilm for so-case* &
 so-detection*

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
---
 salt/elasticsearch/defaults.yaml | 16 ++++++++++++++++
 salt/manager/tools/sbin/soup     | 11 ++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 133c333e1..84e1731d5 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -111,15 +111,23 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
+              lifecycle:
+                name: so-case-logs
               mapping:
                 total_fields:
                   limit: 1500
               number_of_replicas: 0
+              auto_expand_replicas: 0-2
               number_of_shards: 1
               refresh_interval: 30s
               sort:
                 field: '@timestamp'
                 order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
     so-common:
       close: 30
       delete: 365
@@ -258,15 +266,23 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
+              lifecycle:
+                name: so-detection-logs
               mapping:
                 total_fields:
                   limit: 1500
               number_of_replicas: 0
+              auto_expand_replicas: 0-2
               number_of_shards: 1
               refresh_interval: 30s
               sort:
                 field: '@timestamp'
                 order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
     so-endgame:
       index_sorting: false
       index_template:
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index bd2db98d7..6fa4c44ab 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -520,7 +520,16 @@ post_to_2.4.110() {
 }
 
 post_to_2.4.120() {
-  echo "Nothing to apply"
+  for idx in "so-detection" "so-detectionhistory" "so-case" "so-casehistory"; do
+    JSON_STRING=$( jq -n \
+                  --arg INDEX_NAME "$idx" \
+                  '{"settings": {"index.auto_expand_replicas":"0-2","index.lifecycle.name":($INDEX_NAME) + "-logs"}}'
+                )
+    echo "Updating $idx index settings"
+    retry 5 15 "so-elasticsearch-query $idx/_settings -d "$JSON_STRING" -XPUT| grep '{\"acknowledged\":true}'"
+    echo ""
+  done
+
   POSTVERSION=2.4.120
 }