The following index configuration nodes are some of the advanced database configuration items of the Security Analytics Core database that do not change frequently.
The index.dir setting controls where the files used by the index are stored. This setting supports the same syntax as the packet.dir, meta.dir, and session.dir settings.
The Warm tier storage for index slices. This setting supports the same syntax as packet.dir.warm, meta.dir.warm, and session.dir.warm.
The Cold tier storage for index slices. This setting supports the same syntax as packet.dir.cold, meta.dir.cold, and session.dir.cold.
This setting controls the number of index slices held open by the index. Index slices are opened automatically as needed by queries. When queries complete, the index engine may hold the slices open so that subsequent queries execute faster. The most recently created slices are the slices that will be held open, since they are mostly likely to be used by queries.
If queries against the index require the index to open slices, then they will execute slower than if the slices were already open. Therefore, this parameter should be tuned such that most queries executed against the index will work on open slices. However, each open index slice consumes some resources, such as file handles and memory. If there are too many index slices open, the overall performance of the service can suffer.
You should set this parameter so that the open index slices will cover most of the time ranges that most queries will need. For example, if most queries are over the past two weeks, and there are index slices created every 8 hours, then there are 14 days x 3 slices per day, or 42 slices created over the past two weeks. Thus, you could set index.slices.open to 42 so that only slices that are likely to be used are held open.
If this parameter is set to 0, then all slices are held open until the next index save. In this scenario, the only thing limiting the number of slices open in the process is the number of slices in the index.
Deprecated. Versions of the Security Analytics Core index between 9.8 and 10.2 supported two different index compression algorithms, and you can choose between them using this setting. As of 10.3, the only recommended value is the default of huffhybrid.
This setting controls how often the index is automatically saved when new sessions are inserted. If the value of save.session.count is greater than 0, any time more than save.session.count sessions are added to the index, the index automatically saves itself. If the save.session.count is set to 0, this feature is disabled and the index will not automatically save itself when new sessions are added to the index.
Save.session.count can be used to implement an automatic save pattern that is based on the volume of data that enters the index. This is useful because it allows a lightly loaded system to generate save points less often.
For more information on the topic of index saves, see the section in this guide on Optimization Techniques.