diff --git a/elastic/logs/templates/component/auditbeat-mappings.json b/elastic/logs/templates/component/auditbeat-mappings.json index 70c66b179..37ee60f3f 100644 --- a/elastic/logs/templates/component/auditbeat-mappings.json +++ b/elastic/logs/templates/component/auditbeat-mappings.json @@ -8,6 +8,13 @@ } }, "refresh_interval": "30s", + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "kubernetes.pod.uid", "log.logger", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} {# non-serverless-index-settings-marker-start #}{%- if build_flavor != "serverless" or serverless_operator == true -%} "max_docvalue_fields_search": 200, "number_of_shards": 1, diff --git a/elastic/logs/templates/component/logs-apache.access@package.json b/elastic/logs/templates/component/logs-apache.access@package.json index 9ce2162cf..0c2bf9a9e 100644 --- a/elastic/logs/templates/component/logs-apache.access@package.json +++ b/elastic/logs/templates/component/logs-apache.access@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-apache.access-1.18.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "user_agent.name", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-apache.error@package.json b/elastic/logs/templates/component/logs-apache.error@package.json index 868d51091..1d979a53e 100644 --- a/elastic/logs/templates/component/logs-apache.error@package.json +++ b/elastic/logs/templates/component/logs-apache.error@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-apache.error-1.18.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "user_agent.name", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-kafka.log@package.json b/elastic/logs/templates/component/logs-kafka.log@package.json index e1c272881..90cbe8c37 100644 --- a/elastic/logs/templates/component/logs-kafka.log@package.json +++ b/elastic/logs/templates/component/logs-kafka.log@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-kafka.log-1.13.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "event.type", "kafka.log.component", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-mysql.error@package.json b/elastic/logs/templates/component/logs-mysql.error@package.json index 834545032..14c450a0b 100644 --- a/elastic/logs/templates/component/logs-mysql.error@package.json +++ b/elastic/logs/templates/component/logs-mysql.error@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-mysql.error-1.19.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "event.type", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-mysql.slowlog@package.json b/elastic/logs/templates/component/logs-mysql.slowlog@package.json index 794f1f3d1..df1e853a2 100644 --- a/elastic/logs/templates/component/logs-mysql.slowlog@package.json +++ b/elastic/logs/templates/component/logs-mysql.slowlog@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-mysql.slowlog-1.19.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "user.name", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-nginx.access@package.json b/elastic/logs/templates/component/logs-nginx.access@package.json index 888671297..f9a708f26 100644 --- a/elastic/logs/templates/component/logs-nginx.access@package.json +++ b/elastic/logs/templates/component/logs-nginx.access@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-nginx.access-1.20.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "user_agent.name", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-nginx.error@package.json b/elastic/logs/templates/component/logs-nginx.error@package.json index b0b4cd83b..1a202e394 100644 --- a/elastic/logs/templates/component/logs-nginx.error@package.json +++ b/elastic/logs/templates/component/logs-nginx.error@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-nginx.error-1.20.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "input.type", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-postgresql.log@package.json b/elastic/logs/templates/component/logs-postgresql.log@package.json index b0a352fdc..3b2618693 100644 --- a/elastic/logs/templates/component/logs-postgresql.log@package.json +++ b/elastic/logs/templates/component/logs-postgresql.log@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-postgresql.log-1.20.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "error.code", "event.code", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-redis.log@package.json b/elastic/logs/templates/component/logs-redis.log@package.json index c4c78d867..7f4474efc 100644 --- a/elastic/logs/templates/component/logs-redis.log@package.json +++ b/elastic/logs/templates/component/logs-redis.log@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-redis.log-1.15.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "redis.log.role", "log.level", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-redis.slowlog@package.json b/elastic/logs/templates/component/logs-redis.slowlog@package.json index 75e3b5dc4..887177389 100644 --- a/elastic/logs/templates/component/logs-redis.slowlog@package.json +++ b/elastic/logs/templates/component/logs-redis.slowlog@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-redis.slowlog-1.15.0", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "redis.slowlog.key", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-system.auth@package.json b/elastic/logs/templates/component/logs-system.auth@package.json index c8e8a5a60..f21691643 100644 --- a/elastic/logs/templates/component/logs-system.auth@package.json +++ b/elastic/logs/templates/component/logs-system.auth@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-system.auth-1.58.1", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "event.code", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-system.syslog@package.json b/elastic/logs/templates/component/logs-system.syslog@package.json index 931bb3fe3..2d11c7573 100644 --- a/elastic/logs/templates/component/logs-system.syslog@package.json +++ b/elastic/logs/templates/component/logs-system.syslog@package.json @@ -7,6 +7,13 @@ {%- if disable_pipelines is not true %} "default_pipeline": "logs-system.syslog-1.58.1", {%- endif %} + {% if route_on_sort_fields | default(false) is true %} + "sort": { + "field": [ "host.name", "event.code", "log.file.path", "@timestamp" ], + "order": [ "asc", "asc", "asc", "desc" ] + }, + "logsdb.route_on_sort_fields": true, + {% endif %} "mapping": { "total_fields": { "limit": "10000"