securityonion/salt/elasticsearch/templates/component/so/case-settings.json

{
  "template": {
    "settings": {
      "index": {
        "mapping": {
          "total_fields": {
            "limit": "3000"
          }
        },
        "refresh_interval": "30s",
        "analysis": {
          "filter": {
            "path_hierarchy_pattern_filter": {
              "type": "pattern_capture",
              "preserve_original": "true",
              "patterns": [
                "((?:[^\\\\]*\\\\)*)(.*)",
                "((?:[^/]*/)*)(.*)"
              ]
            }
          },
          "char_filter": {
            "whitespace_no_way": {
              "pattern": "(\\s)+",
              "type": "pattern_replace",
              "replacement": "$1"
            }
          },
          "analyzer": {
            "es_security_analyzer": {
              "filter": [
                "lowercase",
                "trim"
              ],
              "char_filter": [
                "whitespace_no_way"
              ],
              "type": "custom",
              "tokenizer": "keyword"
            }
          },
          "tokenizer": {
            "path_tokenizer": {
              "type": "path_hierarchy",
              "delimiter": "\\"
            }
          }
        },
        "number_of_shards": "1",
        "number_of_replicas": "0"
      }
    }
  },
  "version": 1,
  "_meta": {
    "description": "default settings for common Security Onion Cases indices"
  }
}