-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[breaking] Make default_field: false the default for all fields #28596
Conversation
Currently a draft until ECS v8.0.0 is released, which includes this necessary change elastic/ecs#1633 |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
2d3318f
to
d1c14e3
Compare
fcf79ef
to
6a4f03e
Compare
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. It needs a changelog entry.
Changes the default value of the default_field flag in fields definitions to false. This means that only fields that are explicitly marked with default_fields: true (or their subfields) will be added to the index template's setting.index.query.default_field list. After this PR, all fields are excluded from default_field, except: - Selected fields from ECS. The ECS team maintains the list of fields that are included. - Fields for processors. - Fields for Filebeat inputs. (cherry picked from commit 84e668c)
…) (#28855) Changes the default value of the default_field flag in fields definitions to false. This means that only fields that are explicitly marked with default_fields: true (or their subfields) will be added to the index template's setting.index.query.default_field list. After this PR, all fields are excluded from default_field, except: - Selected fields from ECS. The ECS team maintains the list of fields that are included. - Fields for processors. - Fields for Filebeat inputs. (cherry picked from commit 84e668c) Co-authored-by: Adrian Serrano <[email protected]>
…in-the-package-binareis * upstream/master: allows disable pod events enrichment with deployment name (elastic#28521) Remove Docker input from Filebeat (elastic#28817) [breaking] Make default_field: false the default for all fields (elastic#28596) Osquerybeat: Improve osquery client connect code (elastic#28848) Add crawler metrics into the stats metricset for Enterprise Search (elastic#28790) Remove the now deprecated appsearch module from metricbeat (elastic#28850) Remove Beat generators (elastic#28816) chore: upload files to Google Storage when they exist (elastic#28836) Revert "chore(ci): disable E2E tests in Beats (elastic#28715)" (elastic#28812) Deprecate generating custom Beats (elastic#28814) [Metricbeat] upgrade flatbuffers to 1.12.1 (elastic#28094) Osquerybeat: Fix restart flags after previously bad config (elastic#28827) Force ECS and JSON logging for libbeat/logp (elastic#28573) Filebeat: Error on startup for unconfigured module (elastic#28818) Deprecate log input in favour of filestream (elastic#28623) Fix some spelling mistakes (elastic#28080)
…in-the-package-binareis * upstream/master: allows disable pod events enrichment with deployment name (elastic#28521) Remove Docker input from Filebeat (elastic#28817) [breaking] Make default_field: false the default for all fields (elastic#28596) Osquerybeat: Improve osquery client connect code (elastic#28848) Add crawler metrics into the stats metricset for Enterprise Search (elastic#28790) Remove the now deprecated appsearch module from metricbeat (elastic#28850) Remove Beat generators (elastic#28816) chore: upload files to Google Storage when they exist (elastic#28836) Revert "chore(ci): disable E2E tests in Beats (elastic#28715)" (elastic#28812) Deprecate generating custom Beats (elastic#28814) [Metricbeat] upgrade flatbuffers to 1.12.1 (elastic#28094) Osquerybeat: Fix restart flags after previously bad config (elastic#28827) Force ECS and JSON logging for libbeat/logp (elastic#28573) Filebeat: Error on startup for unconfigured module (elastic#28818) Deprecate log input in favour of filestream (elastic#28623) Fix some spelling mistakes (elastic#28080)
What does this PR do?
Changes the default value of the
default_field
flag in fields definitions to false. This means that only fields that are explicitly marked withdefault_fields:true
(or their subfields) will be added to the index template'setting.index.query.default_field
list.After this PR, all fields are excluded from default_field, except:
Why is it important?
This is done to reduce the size of the
settings.index.query.default_field
, which is limited by default to 1024 entries (controlled byindices.query.bool.max_clause_count
). When this limit is exceeded, some query types, such as Simple Query String, will fail. Errors can be observed in Kibana when searching without specifying a field.Checklist
[x] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues