Alerts to Hunt no longer working - Version 2.3.130

[tempest3991]

I have found that the solution in several other threads references this

field expansion matches too many fields
If you get errors like failed to create query: field expansion for [*] matches too many fields, limit: 3500, got: XXXX, then this usually means that you’re sending in additional logs and so you have more fields than our default max_clause_count value. To resolve this, you can increase the indices.query.bool.max_clause_count value for any boxes running Elasticsearch in your deployment.

tail in sensoroni shows the following

timestamp=2022-06-20T17:24:48.19106688Z level=warn message="Shard failure" reason="failed to create query: field expansion for [*] matches too many fields, limit: 3500, got: 4678" type=query_shard_exception

Several solutions state to add the indices.query.bool.max_clause_count, I have added this to global.sls, but I'm not sure if I am adding this to the right place?

elasticsearch:
true_cluster: False
replicas: 0
discovery_nodes: 1
hot_warm_enabled: False
cluster_routing_allocation_disk.threshold_enabled: true
cluster_routing_allocation_disk_watermark_low: '95%'
cluster_routing_allocation_disk_watermark_high: '98%'
cluster_routing_allocation_disk_watermark_flood_stage: '98%'
indices.query.bool.max_clause_count: 5000

I'm not sure where to add this to the global.sls, I see it referenced in the documentation, but it doesn't say specifically where to add it. When I check the elastic YML file, it just states 3500, but that is overridden whenever a SALT call is made

[ben-sec]

The correct syntax in global.sls is

elasticsearch:
   config:
       indices.query.bool.max_clause_count: 4000

Works fine for me.

[dougburks]

The Elasticsearch customization section of our documentation has been updated to address this:
https://docs.securityonion.net/en/2.3/elasticsearch.html#customization