elasticsearch: config: cluster: name: description: The name of the Security Onion Elasticsearch cluster, for identification purposes. readonly: True global: True helpLink: elasticsearch.html routing: allocation: disk: threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. helpLink: elasticsearch.html watermark: low: description: The lower percentage of used disk space representing a healthy node. helpLink: elasticsearch.html high: description: The higher percentage of used disk space representing an unhealthy node. helpLink: elasticsearch.html flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. helpLink: elasticsearch.html script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True helpLink: elasticsearch.html indices: query: bool: max_clause_count: description: Max number of boolean clauses per query. global: True helpLink: elasticsearch.html index_settings: so-aws: &indexSettings warm: description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. global: True helpLink: elasticsearch.html close: description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. global: True helpLink: elasticsearch.html delete: description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. global: True helpLink: elasticsearch.html index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. global: True helpLink: elasticsearch.html index_template: template: settings: index: mapping: total_fields: limit: description: Max number of fields that can exist on a single index. Larger values will consume more resources. global: True helpLink: elasticsearch.html refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True helpLink: elasticsearch.html number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True helpLink: elasticsearch.html number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. global: True helpLink: elasticsearch.html so-azure: *indexSettings so-barracuda: *indexSettings so-beats: *indexSettings so-bluecoat: *indexSettings so-cef: *indexSettings so-checkpoint: *indexSettings so-cisco: *indexSettings so-cyberark: *indexSettings so-cylance: *indexSettings so-elasticsearch: *indexSettings so-endgame: *indexSettings so-f5: *indexSettings so-firewall: *indexSettings so-fortinet: *indexSettings so-gcp: *indexSettings so-google_workspace: *indexSettings so-ids: *indexSettings so-imperva: *indexSettings so-import: *indexSettings so-infoblox: *indexSettings so-juniper: *indexSettings so-kibana: *indexSettings so-logstash: *indexSettings so-microsoft: *indexSettings so-misp: *indexSettings so-netflow: *indexSettings so-netscout: *indexSettings so-o365: *indexSettings so-okta: *indexSettings so-osquery: *indexSettings so-proofpoint: *indexSettings so-radware: *indexSettings so-redis: *indexSettings so-snort: *indexSettings so-snyk: *indexSettings so-sonicwall: *indexSettings so-sophos: *indexSettings so-strelka: *indexSettings so-syslog: *indexSettings so-tomcat: *indexSettings so-zeek: *indexSettings so-zscaler: *indexSettings