Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #14341 to 7.x: Add default_field option to fields.yml #14710

Closed
wants to merge 1 commit into from
Closed

Cherry-pick #14341 to 7.x: Add default_field option to fields.yml #14710

wants to merge 1 commit into from

Commits on Nov 22, 2019

  1. Add default_field option to fields.yml (elastic#14341) 

    * Add default_field option to fields.yml

The number of fields in the Elasticsearch index template's `settings.index.query.default_field` option has grown over time, and is now greater than 1024 in Filebeat (Elastic licensed version). This causes queries to Elasticsearch to fail when a list of fields is not specified because there is a default limit of 1024 in Elasticsearch.

This adds a new setting to fields.yml called `default_field` whose value can be true/false (defaults to true). When true the text/keyword fields are added to the `default_field` list (as was the behavior before this change). And when set to false the field is omitted from the default_field list.

This adds a test for every beat to check if the default_field list contains more than 1000 fields. The limit is a little less than 1024 because `fields.*` is in the default_field list already and at query time that wildcard will be expanded and count toward the limit.

Fixes elastic#14262

* Exclude new zeek datasets from default_field list

(cherry picked from commit 9f21b96)
    @andrewkroh
    andrewkroh committed Nov 22, 2019
    Configuration menu
    Copy the full SHA
    54341b1 View commit details
    Browse the repository at this point in the history