diff --git a/elastic/logs/templates/component/auditbeat-mappings.json b/elastic/logs/templates/component/auditbeat-mappings.json index 58f1ad985..b529e3064 100644 --- a/elastic/logs/templates/component/auditbeat-mappings.json +++ b/elastic/logs/templates/component/auditbeat-mappings.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} {# non-serverless-index-settings-marker-start #}{%- if build_flavor != "serverless" or serverless_operator == true -%} "max_docvalue_fields_search": 200, "number_of_shards": 1, diff --git a/elastic/logs/templates/component/logs-apache.access@package.json b/elastic/logs/templates/component/logs-apache.access@package.json index d0f30fc71..ad16403f2 100644 --- a/elastic/logs/templates/component/logs-apache.access@package.json +++ b/elastic/logs/templates/component/logs-apache.access@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-apache.error@package.json b/elastic/logs/templates/component/logs-apache.error@package.json index 12bc1544e..de0ed6c42 100644 --- a/elastic/logs/templates/component/logs-apache.error@package.json +++ b/elastic/logs/templates/component/logs-apache.error@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-kafka.log@package.json b/elastic/logs/templates/component/logs-kafka.log@package.json index 027f0e11a..8ba003080 100644 --- a/elastic/logs/templates/component/logs-kafka.log@package.json +++ b/elastic/logs/templates/component/logs-kafka.log@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-mysql.error@package.json b/elastic/logs/templates/component/logs-mysql.error@package.json index 2a86b6d99..af1900a8b 100644 --- a/elastic/logs/templates/component/logs-mysql.error@package.json +++ b/elastic/logs/templates/component/logs-mysql.error@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-mysql.slowlog@package.json b/elastic/logs/templates/component/logs-mysql.slowlog@package.json index 7dc165f6f..6cb238a56 100644 --- a/elastic/logs/templates/component/logs-mysql.slowlog@package.json +++ b/elastic/logs/templates/component/logs-mysql.slowlog@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-nginx.error@package.json b/elastic/logs/templates/component/logs-nginx.error@package.json index 54a53bf28..e88c563a4 100644 --- a/elastic/logs/templates/component/logs-nginx.error@package.json +++ b/elastic/logs/templates/component/logs-nginx.error@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-postgresql.log@package.json b/elastic/logs/templates/component/logs-postgresql.log@package.json index cefa949af..2da40e38c 100644 --- a/elastic/logs/templates/component/logs-postgresql.log@package.json +++ b/elastic/logs/templates/component/logs-postgresql.log@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-redis.log@package.json b/elastic/logs/templates/component/logs-redis.log@package.json index 5ef006e5c..846492284 100644 --- a/elastic/logs/templates/component/logs-redis.log@package.json +++ b/elastic/logs/templates/component/logs-redis.log@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-system.auth@package.json b/elastic/logs/templates/component/logs-system.auth@package.json index d9caec634..2b2451678 100644 --- a/elastic/logs/templates/component/logs-system.auth@package.json +++ b/elastic/logs/templates/component/logs-system.auth@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/component/logs-system.syslog@package.json b/elastic/logs/templates/component/logs-system.syslog@package.json index d700d7772..5b4701de8 100644 --- a/elastic/logs/templates/component/logs-system.syslog@package.json +++ b/elastic/logs/templates/component/logs-system.syslog@package.json @@ -14,6 +14,12 @@ }, "logsdb.route_on_sort_fields": true, {% endif %} + {% if patterned_text_message_field | default(false) is true %} + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + }, + {% endif %} "mapping": { "total_fields": { "limit": "10000" diff --git a/elastic/logs/templates/composable/logs-k8-application.log.json b/elastic/logs/templates/composable/logs-k8-application.log.json index e8e7d61b6..1240b07ad 100644 --- a/elastic/logs/templates/composable/logs-k8-application.log.json +++ b/elastic/logs/templates/composable/logs-k8-application.log.json @@ -30,6 +30,12 @@ }, "logsdb.route_on_sort_fields": true {% endif %} + {% if patterned_text_message_field | default(false) is true %}, + "sort": { + "field": [ "host.name", "message.template_id", "@timestamp" ], + "order": [ "asc", "asc", "desc" ] + } + {% endif %} } }, "mappings": {