Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a multi-field user.id.text to the user.id field. #2336

Open
leandrojmp opened this issue Apr 19, 2024 · 1 comment
Open

Add a multi-field user.id.text to the user.id field. #2336

leandrojmp opened this issue Apr 19, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@leandrojmp
Copy link

Summary

Make the user.id field a multi-field in the same way that user.name is a multi-field to allow to have better performance when making queries using wildcards or text searchs.

Motivation:

Currently the user.id is mapped as a keyword field, and keyword fields are not optimized to be queried using wildcards, specially leading asterisks.

There may be some uses cases where the user.id value can have a common prefix or sufix and the user may want to query all the documents where the user.id has the same prefix or sufix, like *sufix or prefix*.

One example is the user.id for AWS Cloudtrail logs which can have this format AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName and the user may wan to query for *:AssumedRoleSessionName or *:CustomRulePattern*

Doing this on a keyword field is not optimal, can take some time and impact the cluster performance.

The user.name field has a multi-field named user.name.text, this issue proposes to have the same approach on the user.id, creating the user.id.text

Detailed Design:

Create user.id.text as a multi-field for user.id, the data type would be text.

@leandrojmp leandrojmp added the enhancement New feature or request label Apr 19, 2024
@qcorporation
Copy link

@andrewkroh do you have any feedback with regards to performance? And if this is a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants