Deleting searchguard/signals indexes and recreating

Several of our searchguard/signals indexes were created with too many shards (16 and 32 shards that were inherited from a default template).

1. If we delete the indexes, will they be automatically recreated?
   .searchguard_resource_owner
   .signals_accounts
   .signals_settings
   .signals_watches
   .signals_watches_state

2. Is there a sample curl command using the admin certificate? We have tried but have had zero success trying to figure this out.

3. How large do the signals indexes get? We have not started using signals yet so our signals indexes are 0 documents. But when creating we want to be sure to provision sufficient shards.
   .signals_accounts
   .signals_settings
   .signals_watches
   .signals_watches_state

Hi @brian Which versions of searchguard are you using? I’ve tested with SG45.1.0 (ES7.9.1) See comments below:

1. if deleted, the indexes will indeed be recreated automatically, however I don’t have .searchguard_resource_owner index when running a basic signal. So can’t comment on this one.

2. Sample curl command to delete index:

curl -XDELETE "https://localhost:9200/.signals_settings" \
   --key "path/to/kirk-key.pem" \
   --cert "path/to/kirk.pem" \
   --cacert "path/to/root-ca.pem"

3. The indexes in question do not grow large at all, however .signals_watches_trigger_state and .signals_log_* depend on the activity levels of course.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.