-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libbeat: Don't force an ignore_above limit on wildcard fields #30668
Conversation
Modifies libbeat's template processor to stop hardcoding a default `ignore_above` limit of 1024 on wildcard fields. This behavior was inherited from keyword fields. Closes elastic#30096
This pull request does not have a backport label. Could you fix it @adriansr? 🙏
NOTE: |
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Pinging @elastic/integrations (Team:Integrations) |
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
This is indeed a really long time ago, the |
I've read about wildcard, since the limit was added previously. I am ok to thread wildcard differently than keywords but @adriansr what kind of data are you indexing in that field? |
@ph I'll jump in and answer since I originally opened #30096. Security-focused users have pointed out how specific shell commands, URLs, or encoded payloads values could exceed the 1024 character convention. Not having these values indexed can create detection blindspots. Users can adjust the ECS migrated a small number of fields to use Wildcard fields have some other benefits, but that's outside the scope of the focus here. 😄 |
What does this PR do?
Modifies libbeat's template processor to stop hardcoding a default
ignore_above
limit of 1024 on wildcard fields. This behavior was inherited from keyword fields.From the Beats users point of view, I've considered this a bugfix. (Bugfix under Affecting All Beats in CHANGELOG).
From the community Beat developers point of view, I consider this a breaking change as someone may be relying on the previous default behavior (Breaking under Affecting all Beats in CHANGELOG-developer).
Why is it important?
Some important ECS wildcard fields are not being indexed properly. See related issue.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues
Closes #30096