[Entity Store] Document 9.4.2 log extraction tuning knobs#6677
Draft
uri-weisman wants to merge 1 commit into
Draft
[Entity Store] Document 9.4.2 log extraction tuning knobs#6677uri-weisman wants to merge 1 commit into
uri-weisman wants to merge 1 commit into
Conversation
Adds troubleshooting entries for the per-window volume cap introduced in 9.4.2 (maxLogsPerWindow, maxLogsPerWindowCapBehavior) and version-gates the maxLogsPerPage default to reflect the 9.4.3 value bump. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
Contributor
🔍 Preview links for changed docs |
Contributor
Vale Linting ResultsSummary: 1 warning found
|
| File | Line | Rule | Message |
|---|---|---|---|
| solutions/security/advanced-entity-analytics/entity-store.md | 234 | Elastic.Spelling | 'cpu' is a possible misspelling. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
Contributor
Author
|
@natasha-moore-elastic we would also like to add a recommendation: Note for CCS users: Entity Analytics ingests logs from every remote cluster. To avoid unnecessary load, please disable EA on any remote cluster where it isn't actively used |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the Entity Store troubleshooting section in
solutions/security/advanced-entity-analytics/entity-store.mdto cover the log extraction tunables added in 9.4.2 (elastic/kibana#269482, elastic/kibana#270180) and refreshes themaxLogsPerPagedefault to reflect the 9.4.2 value bump (elastic/kibana#270617).What's new in the section
maxLogsPerWindow— per-task-run total-volume cap (new in 9.4.2). Documented as the most effective lever for protecting a cluster from sudden ingest spikes, because it bounds the work a single extraction task can do regardless of how many slices the window is split into.maxLogsPerWindowCapBehavior— new in 9.4.2. Documents bothdrop(default, cluster-health-first) anddefer(coverage-first) modes and the coverage-vs-freshness trade-off between them.maxLogsPerPagedefault — version-gated to show40000for 9.4.0–9.4.1 and50000for 9.4.2Why now
We've seen multiple SDHs (#1675, #9945, EOG, plus internal Infosec) where Entity Store v2 extraction overwhelmed hot data nodes after 9.4.0. The 9.4.2 knobs are the supported mitigation path; this page is where Support and customers look first.
applies_to notes
serverless: plannedto match the rest of the troubleshoot section. Once the Serverless rollout date is known, update accordingly.