Too many fields in template's default_fields

[andrewkroh]

In Filebeat we are close to going over 1024 fields in the default_field setting in Elasticsearch index template. This issue could affect other Beats too in the future (most likely Metricbeat). This will cause certain queries to the index to fail with an exception like:

"caused_by": {
      "type": "illegal_argument_exception",
      "reason": "field expansion matches too many fields, limit: 1024, got: 1293"
}

In Beats when the index template is generated it automatically adds all text and keyword fields to the default_field list.

beats/libbeat/template/processor.go

Line 106 in cbd7749

addToDefaultFields(&field)

We need a plan to deal with the growing number of fields in default_field. This issue is causing problems for me because I'm adding fields from CEF to the fields.yml.

[andrewkroh]

I propose adding a new optional setting to the fields.yml file that will allow specifying that a field, or a group of fields, should not be included in the default_field. This will keep the existing behavior for now (added by default) and allow developers to exclude if needed.

        - name: extensions
          type: group
          include_in_default_field: false
          description: >
            Collection of key-value pairs carried in the CEF extension field.
          fields:
            - name: agentAddress
              type: ip
              description: The IP address of the ArcSight connector that processed the event.

Any suggestions on naming for the param? I'm not too keen on include_in_default_field, but it's what I thought of initially.

@ruflin @tsg Thoughts?

[ruflin]

Good you found this, was not aware of the limit. And it seems it can only be changed on query time: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-top-level-params Does this mean already today if someone queries across metricbeat-*,filebeat-* he would hit this limit? If yes, this would probably have wider implications. The good news is, that it looks like with the new package manager we will have 1 index per input, so the number of fields overall will be much lower.

I like the proposed solution as a short term solution but I think we need also a more scalable long term to follow up with.

Naming: What about just using default_field: true?

@skh This is also relavant for you moving the logic to Kibana.

[andrewkroh]

Filebeat is actually broken now in master. I thought it was my additions causing the problem but in master we already have 1175 default fields.

+1 on default_field as the name. I have added that logic and it's working for me. I now need to go find the fields that were recently added in master and remove some of them from the default field list to get the number back below 1024.

Longer term if we move to an index per module indexing strategy then this should not be a problem.

[ph]

@andrewkroh sound like a good strategy / bandaid. We are on borrowed time here, maybe we should also goes through existing modules in filebeat and see if any fields could be removed from the list.

also +1 on naming default_field

[ph]

Just adding a note here so do not lose track, it's possible that 7.x is broken too in #14298

Also, that error is probably testable by just doing a query on Elasticsearch OR check the number of f default fields in the generated template. So we need to add a guard on theses cases.

[ruflin]

@ph We should definitively add something like this to our CI. It's kind of bad that we only realised it 151 fields too late.

[ph]

@ruflin yes, what concern me is, that error is only raised at query time. Maybe it should also validated when we push the template? Maybe its because users can change that limit on the fly they do not validate it at insert.

[ruflin]

@ph I think the argument here is that it is a query time parameter. So an index with 3000 default_fields is totally fine as long as the query param will be adjusted. Also 3000 fields could come from multiple indices with multiple templates. But I share your sentiment, that perhaps there should be a more global option around how many default_fields in a template are allowed and a warning / error in this case.