Hi, We need a larger max_result_window than the default. I have successfully upped it for the current index, but when the index rolls, the setting is gone. I tried adding the setting to elasticsearch.yml but that didn’t work either. Looks like Graylog is using index templates. Can I modify the Graylog index template? If so, how would I do that? Thanks.
Add another index template that is loaded after graylog template and set only the max_result_window in it. http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html#custom-index-mappings has an example where the template is used for index mappings.
This page tells more about index templates: https://www.elastic.co/guide/en/elasticsearch/reference/5.4/indices-templates.html, including how to order them.
Thank you so much! That worked perfectly.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.