Hi, We need a larger max_result_window than the default. I have successfully upped it for the current index, but when the index rolls, the setting is gone. I tried adding the setting to elasticsearch.yml but that didn’t work either. Looks like Graylog is using index templates. Can I modify the Graylog index template? If so, how would I do that? Thanks.


Add another index template that is loaded after graylog template and set only the max_result_window in it. has an example where the template is used for index mappings.

This page tells more about index templates:, including how to order them.


Thank you so much! That worked perfectly.

