From 36d09e9b739b512d030783867cfcf48a0ee2ef96 Mon Sep 17 00:00:00 2001
From: Salvatore Campagna <salvatore.campagna@elastic.co>
Date: Wed, 2 Oct 2024 15:30:46 +0200
Subject: [PATCH] host.id has lower cardinality

host.hostname has cardinality 100 while host.id has cardinality 50.
This happen because in the dataset there is a host.if per each couple
ho hostnames, like a single host.id and for each of them two hostnames
like 'dustin.windows' and 'dustin.linux'. This is probably an artifact
of the data generation script.

Lower cardinality fields might:
* reduce sorting overhead due to less comparisons
* improve compression due to more data clustering together

This change should at least allow us if there is any benefit in choosing
a lower cardinality field.
---
 .../security/templates/component/track-shared-logsdb-mode.json  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elastic/security/templates/component/track-shared-logsdb-mode.json b/elastic/security/templates/component/track-shared-logsdb-mode.json
index adc476be..95f598f4 100644
--- a/elastic/security/templates/component/track-shared-logsdb-mode.json
+++ b/elastic/security/templates/component/track-shared-logsdb-mode.json
@@ -9,7 +9,7 @@
                 "synthetic_source_keep": "{{ synthetic_source_keep }}"
             },
             {% endif %}
-            "sort.field": [ "host.hostname", "@timestamp" ],
+            "sort.field": [ "host.id", "@timestamp" ],
             "sort.order": [ "asc", "desc" ],
             "sort.missing": ["_first", "_last"]
         }