Skip to content

[breaking] Make default_field: false the default for all fields#28596

Merged
adriansr merged 6 commits intoelastic:masterfrom
adriansr:default_fields_false
Nov 6, 2021
Merged

[breaking] Make default_field: false the default for all fields#28596
adriansr merged 6 commits intoelastic:masterfrom
adriansr:default_fields_false

Conversation

@adriansr
Copy link
Copy Markdown
Contributor

@adriansr adriansr commented Oct 21, 2021
edited
Loading

What does this PR do?

Changes the default value of the default_field flag in fields definitions to false. This means that only fields that are explicitly marked with default_fields:true (or their subfields) will be added to the index template' setting.index.query.default_field list.

After this PR, all fields are excluded from default_field, except:

Why is it important?

This is done to reduce the size of the settings.index.query.default_field, which is limited by default to 1024 entries (controlled by indices.query.bool.max_clause_count). When this limit is exceeded, some query types, such as Simple Query String, will fail. Errors can be observed in Kibana when searching without specifying a field.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@adriansr adriansr requested review from a team as code owners October 21, 2021 20:05
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 21, 2021
@adriansr adriansr marked this pull request as draft October 21, 2021 20:05
@mergify mergify bot added the backport-skip Skip notification from the automated backport with mergify label Oct 21, 2021
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 21, 2021
@elastic elastic deleted a comment from mergify bot Oct 21, 2021
@adriansr
Copy link
Copy Markdown
Contributor Author

adriansr commented Oct 21, 2021

Currently a draft until ECS v8.0.0 is released, which includes this necessary change elastic/ecs#1633

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Oct 21, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-11-05T15:37:39.240+0000

  • Duration: 151 min 32 sec

  • Commit: d144ab6

Test stats 🧪

Test Results
Failed 0
Passed 54120
Skipped 5354
Total 59474

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

@adriansr adriansr force-pushed the default_fields_false branch from 2d3318f to d1c14e3 Compare October 21, 2021 21:07
@adriansr adriansr force-pushed the default_fields_false branch from fcf79ef to 6a4f03e Compare November 4, 2021 09:41
@adriansr adriansr added the backport-v8.0.0 Automated backport with mergify label Nov 4, 2021
@adriansr adriansr marked this pull request as ready for review November 4, 2021 18:23
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Nov 4, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@mergify mergify bot removed the backport-skip Skip notification from the automated backport with mergify label Nov 4, 2021
@adriansr adriansr added the review label Nov 4, 2021
@adriansr adriansr changed the title [Draft][breaking] Make default_field: false the default for all fields [breaking] Make default_field: false the default for all fields Nov 4, 2021
andrewkroh
andrewkroh approved these changes Nov 5, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. It needs a changelog entry.

@adriansr adriansr merged commit 84e668c into elastic:master Nov 6, 2021
mergify bot pushed a commit that referenced this pull request Nov 6, 2021
@adriansr
[breaking] Make default_field: false the default for all fields (#28596)
28241b0 
Changes the default value of the default_field flag in fields definitions to false. This means that only fields that are explicitly marked with default_fields: true (or their subfields) will be added to the index template's setting.index.query.default_field list.

After this PR, all fields are excluded from default_field, except:

- Selected fields from ECS. The ECS team maintains the list of fields that are included.
- Fields for processors.
- Fields for Filebeat inputs.

(cherry picked from commit 84e668c)
@mergify mergify bot mentioned this pull request Nov 6, 2021
Merged
adriansr added a commit that referenced this pull request Nov 8, 2021
@mergify @adriansr
[breaking] Make default_field: false the default for all fields (#28596
ada8eae 
…) (#28855)

Changes the default value of the default_field flag in fields definitions to false. This means that only fields that are explicitly marked with default_fields: true (or their subfields) will be added to the index template's setting.index.query.default_field list.

After this PR, all fields are excluded from default_field, except:

- Selected fields from ECS. The ECS team maintains the list of fields that are included.
- Fields for processors.
- Fields for Filebeat inputs.

(cherry picked from commit 84e668c)

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
v1v added a commit to v1v/beats that referenced this pull request Nov 8, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/use-arch-…
3afea6c 
…in-the-package-binareis

* upstream/master:
  allows disable pod events enrichment with deployment name (elastic#28521)
  Remove Docker input from Filebeat (elastic#28817)
  [breaking] Make default_field: false the default for all fields (elastic#28596)
  Osquerybeat: Improve osquery client connect code (elastic#28848)
  Add crawler  metrics into the stats metricset for Enterprise Search (elastic#28790)
  Remove the now deprecated appsearch module from metricbeat (elastic#28850)
  Remove Beat generators (elastic#28816)
  chore: upload files to Google Storage when they exist (elastic#28836)
  Revert "chore(ci): disable E2E tests in Beats (elastic#28715)" (elastic#28812)
  Deprecate generating custom Beats (elastic#28814)
  [Metricbeat] upgrade flatbuffers to 1.12.1 (elastic#28094)
  Osquerybeat: Fix restart flags after previously bad config (elastic#28827)
  Force ECS and JSON logging for libbeat/logp (elastic#28573)
  Filebeat: Error on startup for unconfigured module (elastic#28818)
  Deprecate log input in favour of filestream (elastic#28623)
  Fix some spelling mistakes (elastic#28080)
@adriansr adriansr mentioned this pull request Dec 29, 2021
Closed
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@v1v
Merge remote-tracking branch 'upstream/master' into feature/use-arch-…
061692b 
…in-the-package-binareis

* upstream/master:
  allows disable pod events enrichment with deployment name (elastic#28521)
  Remove Docker input from Filebeat (elastic#28817)
  [breaking] Make default_field: false the default for all fields (elastic#28596)
  Osquerybeat: Improve osquery client connect code (elastic#28848)
  Add crawler  metrics into the stats metricset for Enterprise Search (elastic#28790)
  Remove the now deprecated appsearch module from metricbeat (elastic#28850)
  Remove Beat generators (elastic#28816)
  chore: upload files to Google Storage when they exist (elastic#28836)
  Revert "chore(ci): disable E2E tests in Beats (elastic#28715)" (elastic#28812)
  Deprecate generating custom Beats (elastic#28814)
  [Metricbeat] upgrade flatbuffers to 1.12.1 (elastic#28094)
  Osquerybeat: Fix restart flags after previously bad config (elastic#28827)
  Force ECS and JSON logging for libbeat/logp (elastic#28573)
  Filebeat: Error on startup for unconfigured module (elastic#28818)
  Deprecate log input in favour of filestream (elastic#28623)
  Fix some spelling mistakes (elastic#28080)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

No one assigned

Labels

backport-v8.0.0 Automated backport with mergify review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make default_field: false the default for v8.0

3 participants

@adriansr @elasticmachine @andrewkroh