General Recommendations

Scheduling Configuration

When there are a large number of search tasks, it is recommended to schedule their execution with different offsets. This will help distribute the search load on the cluster over time.

Limiting the Number of Results

If the search query of a task does not use aggregations, it is recommended to limit the size of the returned sample using the qsize parameter. This will help avoid situations where an unexpectedly large number of results and their processing by active actions can negatively impact system performance.

Search Interval

Specify a time interval for the search query with a margin. For example, if the search task is run every 5 minutes, the search interval should be set for the last 10 or 15 minutes. Duplicate events that occur due to overlapping search time intervals can be filtered using the suppression mechanism. This practice will help avoid potential missed triggers of the search task due to unstable cluster operation, inaccuracies in timestamps, or slightly misconfigured time settings on hosts.