Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] ignore_above should not be added to fields with 'index: false' #136982

Closed
andrewkroh opened this issue Jul 22, 2022 · 3 comments · Fixed by #141442
Closed

[Fleet] ignore_above should not be added to fields with 'index: false' #136982

andrewkroh opened this issue Jul 22, 2022 · 3 comments · Fixed by #141442
Assignees
@nchaulet
Labels
bug Fixes for quality problems that affect the customer experience Feature:EPM Fleet team's Elastic Package Manager (aka Integrations) project Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@andrewkroh
Copy link
Member

Kibana version: main / 8.4.0-SNAPHSOT / ac15ee4

Describe the bug:

EPM adds a default ignore_above: 1024 to fields when they are not indexed. If a field is defined with index: false then EPM should not add ignore_above. We can see in this in event.original which is not indexed:

{
  "mappings": {
    "event.original": {
      "full_name": "event.original",
      "mapping": {
        "original": {
          "type": "keyword",
          "index": false,
          "doc_values": false,
          "ignore_above": 1024
        }
      }
    }
  }
}

Any additional context:

kibana/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts

Lines 257 to 260 in e6c35a6

function generateKeywordMapping(field: Field): IndexTemplateMapping {
const mapping: IndexTemplateMapping = {
ignore_above: DEFAULT_IGNORE_ABOVE,
};

kibana/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts

Lines 285 to 288 in e6c35a6

function generateWildcardMapping(field: Field): IndexTemplateMapping {
const mapping: IndexTemplateMapping = {
ignore_above: DEFAULT_IGNORE_ABOVE,
};

@andrewkroh andrewkroh added bug Fixes for quality problems that affect the customer experience Feature:EPM Fleet team's Elastic Package Manager (aka Integrations) project Team:Fleet Team label for Observability Data Collection Fleet team labels Jul 22, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@jen-huang
Copy link
Contributor

@andrewkroh Should ignore_above also be removed when doc_values: false?

@andrewkroh
Copy link
Member Author

Yes, according to elastic/ecs#1481 (comment) ignore_above should also be removed when doc_value: false.

@nchaulet nchaulet self-assigned this Sep 22, 2022
@nchaulet nchaulet mentioned this issue Sep 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nchaulet nchaulet

Labels
bug Fixes for quality problems that affect the customer experience Feature:EPM Fleet team's Elastic Package Manager (aka Integrations) project Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fleet] Do not set ignore_above for index:false nchaulet/kibana
4 participants
@nchaulet @jen-huang @andrewkroh @elasticmachine