From ad10bd85a9f8bd49011245b2ddf3ef59277579cb Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 16:35:24 -0500 Subject: [PATCH] [main] Update detections-logsdb-impact.asciidoc (backport #6327) (#6330) * Update detections-logsdb-impact.asciidoc * Update docs/detections/detections-logsdb-impact.asciidoc --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 180cf67eb185afd60ae260ad239763ff90aefe7c) Co-authored-by: Kseniia Ignatovych <40713348+approksiu@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/detections-logsdb-impact.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/detections/detections-logsdb-impact.asciidoc b/docs/detections/detections-logsdb-impact.asciidoc index 1b304c7f1e..a245644800 100644 --- a/docs/detections/detections-logsdb-impact.asciidoc +++ b/docs/detections/detections-logsdb-impact.asciidoc @@ -11,6 +11,8 @@ When the `_source` is reconstructed, {ref}/mapping-source-field.html#synthetic-s Continue reading to find out how this affects specific {elastic-sec} components. +NOTE: Logsdb is not recommended for {elastic-sec} at this time. Users must fully understand and accept the documented changes to detection alert documents (see below), and ensure their deployment has excess hot data tier CPU resource capacity before enabling logsdb mode, as logsdb mode requires additional CPU resources during the ingest/indexing process. Enabling logsdb without sufficient hot data tier CPU may result in data ingestion backups and/or security detection rule timeouts and errors. + [discrete] [[logsdb-alerts]] == Alerts @@ -62,4 +64,4 @@ The following will not work with synthetic source (logsdb index mode enabled): [source,console] ---- "source": """ emit(params._source['agent.name'] + "_____" + doc['agent.name'].value ); """ ----- \ No newline at end of file +----