Home
EN
Location
Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base
MENU
Home
Security Operations
Cortex XSOAR
Cortex XSOAR Administrator’s Guide
Manage Data
Migrate Cortex XSOAR Objects to Elasticsearch
Troubleshoot Elasticsearch Feed Ingestion Issues
Document:
Cortex XSOAR Administrator’s Guide
Troubleshoot Elasticsearch Feed Ingestion Issues
Download PDF
Last Updated:
Sat Mar 05 23:12:46 PST 2022
Current Version:
6.0 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)
End-of-Life (EoL)
Previous
Next
Troubleshoot Elasticsearch Feed Ingestion Issues
In some cases, complex search queries cause Elasticsearch to fail on stackoverflow.
We recommend that you use the following search query syntax:
field:(a,b,c …)
.
Workaround
To fix this issue, you can increase the maximum
clause count
and the
maximum total field count
in the
elasticsearch.yml
file.
Maximum clause count
Elasticsearch Version
Key
Value
6.0 and later
index.query.bool.max_clause_count
A number larger than the default of 1,024.
5.x and earlier
indeces.query.bool.max_clause_count
A number larger than the default of 1,024.
Maximum total field count
The maximum total field count includes nested fields. The default value is 1,000.
Key
Value
index.mapping.total_fields.limit
A number larger than the default of 1,000.
Previous
Next
Recommended For You
Recommended Videos
Recommended videos not found.
