[Fleet] Improve default values for component templates

[ruflin]

Fleet installs packages and with it Elasticsearch index and component templates. This issue is to discuss potential improvements to the templates settings. Mapping improvements should be discussed separately. Below is a current example for metrics-system.cpu. The following entries I would like to discuss:

• mapping.total_fields.limit: This is set to 10000 likely because it was set that way in Beats. Because of the new data stream naming scheme I assume we don't need this anymore and can remove it and just use the default?
• refresh_interval: This is set to 5s. I would assume this could be removed and just use the default. This could lead to better ingest performance.
• number_of_shards: This is set to 1. But AFAIK by now Elasticsearch also uses 1 as the default, so this could be removed?
• query.default_field: We have stored in here all the keywords if I remember correctly. It is used to define what fields should be queried on when no field is used in the search bar. Do we still need this or could query just on all fields as now each data stream has less fields? @andrewkroh might also remember more here.
• number_of_routing_shards: This is set to 30 and likely was copied from Beats as we required this in the early days to split up shards. Is this still needed? If yes, what should it be set to?

Any other entries we should discuss further?

Component template example from metrics-system.cpu:

{
  "index": {
    "lifecycle": {
      "name": "metrics"
    },
    "codec": "best_compression",
    "mapping": {
      "total_fields": {
        "limit": "10000"
      }
    },
    "refresh_interval": "5s",
    "number_of_shards": "1",
    "query": {
      "default_field": [
        "cloud.account.id",
        "cloud.availability_zone",
        "cloud.instance.id",
        "cloud.instance.name",
        "cloud.machine.type",
        "cloud.provider",
        "cloud.region",
        "cloud.project.id",
        "cloud.image.id",
        "container.id",
        "container.image.name",
        "container.name",
        "host.architecture",
        "host.domain",
        "host.hostname",
        "host.id",
        "host.mac",
        "host.name",
        "host.os.family",
        "host.os.kernel",
        "host.os.name",
        "host.os.platform",
        "host.os.version",
        "host.os.build",
        "host.os.codename",
        "host.os.full",
        "host.type"
      ]
    },
    "number_of_routing_shards": "30"
  }
}

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[ruflin]

@jpountz It would be great to get your input on the above from an Elasticsearch perspective.

[jpountz]

mapping.total_fields.limit: This is set to 10000 likely because it was set that way in Beats. Because of the new data stream naming scheme I assume we don't need this anymore and can remove it and just use the default?

+1 This limit is per-index, so it shouldn't be needed anymore.

refresh_interval: This is set to 5s. I would assume this could be removed and just use the default. This could lead to better ingest performance.

You are correct. I actually had the opportunity to benchmark the difference between refresh_interval: 5s and refresh_interval unset, and the latter had a 12% better indexing throughput with the solutions/logs track that our performance team maintains that tries to replicate a Logging use-case.

number_of_shards: This is set to 1. But AFAIK by now Elasticsearch also uses 1 as the default, so this could be removed?

Yes please remove. This should ultimately be managed via CPU-based autoscaling.

number_of_routing_shards: This is set to 30 and likely was copied from Beats as we required this in the early days to split up shards. Is this still needed? If yes, what should it be set to?

It was required in the beginning because 6.x releases after we released index shrinking used to set number_of_routing_shards = number_of_shards for backwards compatibility, which meant that you could only shrink the number of shards, never expand it. But this is no longer necessary as Elasticsearch automatically computes a sensible value for the number of routing shards based on the number of shards.

So +1 on my end to remove all these settings and rely on defaults instead.