Hi,
I have this issue where for my needs, I am required to export all the rules from Elastic Security and keep it locally which I use this command to achieve it - POST api/detection_engine/rules/_export. However the main problem is that the rules I want to export amounts to 2000+ rules (and counting), more than the default limit of maxClauseCount of 1024, so I will tend to get this error below:
{"message":"all shards failed: search_phase_execution_exception: [query_shard_exception] Reason: failed to create query: maxClauseCount is set to 1024","status_code":400}
Is there any other workaround to query more than 1024 items without needing to change the maxClauseCount settings? This is because, even in the documentation it does not recommend changing the limit as it may degrade CPU and RAM performance, so I am trying my best to not go that route. Any pointers will be appreciated!
Also additional question, does the rules stored under an index? This is because I seems to not be able to find the index that stores the rules.