Fix default_field for metricbeat #7015
Conversation
ruflin
added
in progress
|
@Bargs Few questions to default_field in Kibana related to elastic/kibana#16232
|
I believe the global option will take precedence for the query from the query bar. However, in 7.0 query_string filters will no longer get the default options, so one option might be to add a query_string filter to the vis instead of using the query bar.
Yes, it is sent as a param on the query_string query in the search request body, so it takes precedence over the index settings in ES.
Nope |
|
@Bargs Thanks for the details. Do you have a time frame when elastic/kibana#16232 could happen? Because I think it is also prerequisit for this PR to fully fix the problem without having to overwrite it in each visualisation. |
|
It's easy to do, I've just been putting it off. If it's blocking you guys I'll try to get it done in the next few days. |
|
Here we go elastic/kibana#18966 |
|
@Bargs Thanks a lot for this. This will make it much easier for us / me to test if my above solution to the problem actually works. |
|
I tested this again with the most recent snapshot builds from Kibana and for the system dashboards this seems to fix the problem. An other thing I stumbled over partially related is that the All similar but not 100% identical. Should we standardise these after the export to make sure they are all the same? |
|
💯 we had issues in the past with wrong values here, AFAIK index must be set to |
ruflin
added
review
and removed
discuss
|
I changed the PR that for now default_fields only apply when running against ES 7. This makes sure it's not a breaking change in case it has side effects. It also gives us time to test it. @exekias Lets sync up separately on how we should "clean" our dashboards. Ready for review. |
In Elasticsearch 7.0 there is a limit of 1024 fields (see elastic#5275). As Metricbeat exceeds the limit of 1024 fields per index it has to be defined which the default fields are as otherwise Elasticsearch returns an error. This change set the index config option `index.query.default_field`. To fields chosen to be searchable are all string and keyword values as these are the ones that I would expect users to put directly in the search without specifying a field. For all numbers I expect that the exact field is specified. This PR also removes all presets from dashboards which did set default_fields as they were `*`. In Kibana the default `*` was removed also in master: elastic/kibana#16232
|
@exekias Yes, added one and rebase on master. |
|
WFG |
In Elasticsearch 7.0 there is a limit of 1024 fields (see #5275). As Metricbeat exceeds the limit of 1024 fields per index it has to be defined which the default fields are as otherwise Elasticsearch returns an error.
This change set the index config option
index.query.default_field. To fields chosen to be searchable are all string and keyword values as these are the ones that I would expect users to put directly in the search without specifying a field. For all numbers I expect that the exact field is specified.This PR also removes all presets from dashboards which did set default_fields as they were
*. In Kibana the default*was removed also in master: elastic/kibana#16232