Wazuh Indexer Searchable Snapshots

[Pradeep]

Hi team,

Is there a way to search data stored in snapshots?
Searchable snapshots - OpenSearch documentation

In the above reference, Opensearch made this possible in their latest update.

Using the same, we have done the following:

1. Update config/jvm.options by adding the following line:

   -Dopensearch.experimental.feature.searchable_snapshot.enabled=true
2. Finally, create a node in your opensearch.yml file and define the node role as search:

• node.name: snapshots-node
• node.roles: [ search ]

After doing the same and restarting the indexer we are getting error of undefined role 'search'.
We suppose it is incompatible with the current version.

Basically, what we are trying to achieve is to put all the cold data in object storage and store only the hot data in wazuh indexer, so first step was to store data in s3 we did it, next is to make it searchable.
So, if there is any other way of the same. Do let us know.

Thanks,
Pradeep

[Juan Carlos Tello]

Hello Pradeep,

Indeed as you suppose this is not compatible with Wazuh Indexer yet. Wazuh Indexer v4.3.10 is based on OpenSearch 1.2.4 and the feature you're asking for was introduced as an experimental feature on OpenSearch 2.4.0.

Our upcoming release (v4.4.0) will be based on OpenSearch 2.4.1 as specified here: https://github.com/wazuh/wazuh-packages/tree/4.4#distribution-version-matrix so this feature will be available soon.

Best Regards,

Juan C. Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4cf269ba-ddc6-406d-875b-86aca0a76d6en%40googlegroups.com.