From 86876da834b03227a778b649650a2b7ebb4b374b Mon Sep 17 00:00:00 2001
From: Fae Charlton <fae.charlton@elastic.co>
Date: Tue, 5 Dec 2023 11:27:21 -0500
Subject: [PATCH] make update

---
 x-pack/auditbeat/auditbeat.reference.yml | 21 ++++++++++++++++++---
 x-pack/auditbeat/auditbeat.yml           |  4 ++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml
index 09b343d8fe28..783cb557e076 100644
--- a/x-pack/auditbeat/auditbeat.reference.yml
+++ b/x-pack/auditbeat/auditbeat.reference.yml
@@ -506,7 +506,15 @@ output.elasticsearch:
   # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
   hosts: ["localhost:9200"]
 
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
   # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
   # The default is 1.
   #compression_level: 1
 
@@ -527,6 +535,8 @@ output.elasticsearch:
     #param2: value2
 
   # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
   #worker: 1
 
   # If set to true and multiple hosts are configured, the output plugin load
@@ -564,8 +574,10 @@ output.elasticsearch:
   #max_retries: 3
 
   # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
-  # The default is 50.
-  #bulk_max_size: 50
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
 
   # The number of seconds to wait before trying to reconnect to Elasticsearch
   # after a network error. After waiting backoff.init seconds, the Beat
@@ -581,7 +593,10 @@ output.elasticsearch:
   # The maximum amount of time an idle connection will remain idle
   # before closing itself.  Zero means use the default of 60s. The
   # format is a Go language duration (example 60s is 60 seconds).
-  # idle_connection_timeout: 60s
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
 
   # Configure HTTP request timeout before failing a request to Elasticsearch.
   #timeout: 90
diff --git a/x-pack/auditbeat/auditbeat.yml b/x-pack/auditbeat/auditbeat.yml
index c84640539dc7..7bdea6578cc7 100644
--- a/x-pack/auditbeat/auditbeat.yml
+++ b/x-pack/auditbeat/auditbeat.yml
@@ -148,6 +148,10 @@ output.elasticsearch:
   # Array of hosts to connect to.
   hosts: ["localhost:9200"]
 
+  # Performance preset - one of "balanced", "throughput", "scale",
+  # "latency", or "custom".
+  preset: balanced
+
   # Protocol - either `http` (default) or `https`.
   #protocol: "https"