From ca5bc78ec4b5a0024ab85ca31421bb08cc6da247 Mon Sep 17 00:00:00 2001
From: Salvatore Campagna
 <93581129+salvatore-campagna@users.noreply.github.com>
Date: Tue, 24 Sep 2024 15:11:34 +0200
Subject: [PATCH] `host.name` is empty we need to use `host.hostname` (#678)

If the `host.name` field does not exists, indices created as backing indices of a data stream
are injected with empty values of `host.name`. Sorting on `host.name` and `@timestamp`
results in sorting just on `@timestamp`. Looking at some mappings I see a `host.hostname`
exists. Also a cardinality aggregation results in hundreds of distinct values which suggests
the filed is not empty.

We would like to test using a meaningful combination of fields to sort on. Ideally we expect
better benchmark results despite being possible that other, more effective, combinations of
fields might exist. We are interested, anyway, in changes over time **given a valid set of fields
to sort on**.

(cherry picked from commit 0ca00a0efc2185eb0b589b625be67f09d3fab6bd)
---
 .../component/track-shared-logsdb-mode.json     | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/elastic/security/templates/component/track-shared-logsdb-mode.json b/elastic/security/templates/component/track-shared-logsdb-mode.json
index fc1002083..1f6860869 100644
--- a/elastic/security/templates/component/track-shared-logsdb-mode.json
+++ b/elastic/security/templates/component/track-shared-logsdb-mode.json
@@ -1,11 +1,14 @@
 {
-  "template": {
-    "settings": {
-      {% if index_mode %}
-      "index": {
-          "mode": {{ index_mode | tojson }}
+    "template": {
+      "settings": {
+        {% if index_mode %}
+        "index": {
+            "mode": {{ index_mode | tojson }},
+            "sort.field": [ "host.hostname", "@timestamp" ],
+            "sort.order": [ "asc", "desc" ],
+            "sort.missing": ["_first", "_last"]
+        }
+        {% endif %}
       }
-      {% endif %}
     }
   }
-}