You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SIEM is currently using 128 fields across the following types:
siem-ui-timeline:96
siem-ui-timeline-note:7
siem-ui-timeline-pinned-event:6
siem-detection-engine-rule-actions:9
siem-detection-engine-rule-execution-info:10
Especially siem-ui-timeline with its 96 fields seems really high and from a rough search it seems like we might only be searching/aggregating over a handful of these fields. Could we reduce the field count of these types?
Do not use field mappings like you would use data types for the columns of a SQL database. Instead, field mappings are analogous to a SQL index. Only specify field mappings for the fields you wish to search on or query. By specifying dynamic: false in any level of your mappings, Elasticsearch will accept and store any other fields even if they are not specified in your mappings.
Since Elasticsearch has a default limit of 1000 fields per index, plugins should carefully consider the fields they add to the mappings. Similarly, Saved Object types should never use dynamic: true as this can cause an arbitrary amount of fields to be added to the .kibana index.
SIEM is currently using 128 fields across the following types:
Especially siem-ui-timeline with its 96 fields seems really high and from a rough search it seems like we might only be searching/aggregating over a handful of these fields. Could we reduce the field count of these types?
From https://github.com/elastic/kibana/blob/main/dev_docs/tutorials/saved_objects.mdx#mappings
Related #43673
The text was updated successfully, but these errors were encountered: