Allow customizing managed data streams at different levels of granularity

[felixbarny]

What are we trying to achieve?

On several occasions, we've been discussing to add ways to enable users to customize data streams that are set up via Fleet and via the built-in index templates, without having to create a copy of the index template and taking the onus to maintain the whole index template going forward. Instead, we'd want to offer dedicated extension points for users so that they can configure different settings/mappings/lifecycles at different levels of the data stream naming scheme:

• All data streams (*-*-*)
• All data streams with a certain type ({type}-*-*)
• All data streams with a certain type and dataset ({type}-{dataset}-*)
• All data streams with a certain type, dataset, and namespace ({type}-{dataset}-{namespace})
• All data streams with a certain type and namespace ({type}-*-{namespace})
• All data streams with a certain namespace (*-*-{namespace})

Some concrete use cases:

• A user wants to send the observability signals of their tier 1 applications to a separate namespace to keep the data in the hot tier for longer and to have a longer retention
• Setting the default retention for logs to 30 days and for metrics to 90 days
• Enable synthetic _source for the logs-foo-* data stream that is using the logs-*-* index template, without having to create a copy of the index template with a logs-foo-* index pattern.

Why this should be in Elasticsearch

The previous discussions (elastic/kibana#149484, elastic/kibana#121118) have mostly been focussed on Fleet. But I have a strong preference for not putting this into Fleet but into Elasticsearch so that data streams that are not managed by Fleet (such as the data streams for the built-in index templates logs-*-* and metrics-*-*) can benefit from that as well.

Why is this important

This gets more important in the context of the reroute processor as documents can be routed to data streams that aren't managed by or known to Fleet. Also, we're considering to move APM index templates out of Fleet and into Elasticsearch (see #97546).

A potential solution

I've proposed one potential solution to this here: elastic/kibana#121118 (comment)

Essentially, we'd add a couple of component templates into the index templates that are managed by Fleet and Elasticsearch. For example, the composed_of section of the logs-*-* index template that is built into Elasticsearch would be extended by component templates that have a placeholder in them (exact naming tbd).

  composed_of:
   - logs@custom
   - logs-*-{{data_stream.namespace}}@custom
   - logs-{{data_stream.dataset}}@custom
   - logs-{{data_stream.dataset}}-{{data_stream.namespace}}@custom

Valid placeholders are any constant_keyword fields.

If a user wants to customize a concrete data stream logs-foo-bar, they can create the following component templates:

• logs@custom
• logs-*-bar@custom
• logs-foo@custom
• logs-foo-bar@custom

[elasticsearchmachine]

Pinging @elastic/es-data-management (Team:Data Management)

[BBQigniter]

imho this also relates to #91370

[joshdover]

Big +1 on solving this with an ability to reference a "templated" component template name. I have one suggestion on the solution which may make it a bit simpler.

I think there will be a slight issue with trying to use constant_keyword fields as candidates for replacement variables as those fields themselves may be defined in component templates (and in Fleet's case, are). It's a chicken-and-egg problem of having to lookup the component templates to know which other component templates match. I guess this could be solved by looking up the component templates without variables first, and then matching the rest, but I think it's more complicated than necessary and confusing from a user perspective.

Instead, I'd suggest instead we have some ability to name the wildcards in the main template's index pattern (similar to a named regexp capture group) and then reference those as variables in the composed_of array, like this:

index_patterns:
  - logs-(*:dataset)-(*:namespace)
composed_of:
  - logs@custom
  - logs-*-{{namespace}}@custom
  - logs-{{dataset}}@custom
  - logs-{{dataset}}-{{namespace}}@custom

I think this is simpler, more obvious, and less tied to any specific convention. It also has the nice side benefit that it constrains the possibilities to only strings that appear in the actual name of the index/data stream, rather than fields in the document that may not be part of the index name.

[joshdover]

@BBQigniter do you think this will fully solve the problems described in #91370 or is there more we need to accommodate?

[BBQigniter]

@joshdover not completely sure but your proposal looks good for me :)

[felixbarny]

Instead, I'd suggest instead we have some ability to name the wildcards in the main template's index pattern (similar to a named regexp capture group) and then reference those as variables in the composed_of array

Seems like a much better and simpler idea compared to relying on constant_keyword fields! Love it!

From what I can tell, these are some aspects of #91370 that this proposal wouldn't tackle:

• Having separate component templates for different ECS namespaces. However, we're moving towards using dynamic template-based approach to mapping ECS fields: [Logs+] Adding ECS dynamic templates #96171, Dynamic ECS mapping progress integrations#5055
• Customize data streams at the integration granularity. While this proposal allows to customize at the data stream level, if an integration contains multiple data streams, you can't easily apply configurations to all data streams of an integration. I suppose this can be achieved by Fleet automatically adding a custom component template for an integration.

[joshdover]

Customize data streams at the integration granularity. While this proposal allows to customize at the data stream level, if an integration contains multiple data streams, you can't easily apply configurations to all data streams of an integration. I suppose this can be achieved by Fleet automatically adding a custom component template for an integration.

Fleet adding an explicit component template would work.

Another option would be to make the dotted part of the dataset part of the pattern, so you could something like this (not sure I like the names I used, but you get the idea):

index_patterns:
  - logs-(*:dataset_prefix).(*:dataset_suffix)-(*:namespace)
composed_of:
  - logs@custom
  - logs-*-{{namespace}}@custom
  - logs-{{dataset_prefix}}@custom
  - logs-{{dataset_prefix}}.{{dataset_suffix}}@custom
  - logs-{{dataset_prefix}}.{{dataset_suffix}}-{{namespace}}@custom

I've wondered if the two-parted dataset should be part of the DSNS convention or not - we use this pattern fairly consistently, though not everywhere.

[felixbarny]

As not all datasets have a prefix and suffix separated by a dot, the logs-*.*-* index pattern wouldn't match all data streams.

But either way, it seems the placeholders in component template references could also be used to add extension points to all data streams of an integration.

[ruflin]

++ on moving forward with the placeholder approach. It will not solve all problems but I think it will solve quite a few.

@dakrone Would be great to get your feedback on this.

[dakrone]

Thanks for bringing this up Felix, and others for the discussion so far. We met today as a team to discuss this. We have a couple of reservations and some thoughts I'll try to share.

First, the proposed solution of having placeholders where wildcards are essentially "captured" (the logs-(*:dataset_prefix).(*:dataset_suffix)-(*:namespace) suggestion), I don't think this is going to be a good solution. We rely on knowing exactly how templates are composed in order to be able to validate changes to both index and component templates when they're added/updated/removed. If we went with the pattern capturing solution it would mean that we could no longer validate the templates, because we wouldn't know what the composition is going to be until index or data stream creation time.

Second, the other option that I see currently would be for us to use a naming scheme for customizing component templates, for example, we'd change all of our logs integrations and built-in templates to reference the logs@custom component template, so that any user-customization can be done there. We'd do this at varying levels of granularity, so we'd end up with a logs-nginx@custom one for the Nginx integration, and so on. This would require Fleet to specify the correct names of the customization when installing an integration. This would be better than the previous solution, since we would still be able to validate both component and index templates. ...@custom component templates would not have to exist because we can specify in the index template to skip failing before they're created.

The challenging part of the second solution is that we run into a composition problem when it comes to a change that a user wants to make with respect to a particular attribute of a data stream. For example, imagine a user that wants to make a change to the "global" data stream configuration, to set a project-level retention to all *-*-* data. Ideally this would mean they would add a {"data_retention": "30d"} configuration to a global@custom component template. But what happens when this global component template is composed into an index template that does not specify "data_stream": {} in its configuration? Or an index template that is managed but that disables data stream lifecycles? We could either be lenient and allow the composition, ignoring it (which is unfortunate because it introduces leniency), or disallow it and force a user to reckon with varying configuration parameters at different levels of granularity that may or may not be allowed. The example is for retention, but it can be extrapolated to any template configuration such as index settings, mappings, or aliases. Depending on how strict and exactly how we want to use the ...@custom component templates, we make minimize or increase the chance of this risk.

I don't think the placeholder meets the needs we have without introducing unacceptable leniency. The second is more workable but has some pieces and use-cases that we'd need to work through to make sure that we don't end up with a rigid or brittle system. What do you think?