-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add default_field option to fields.yml (#14341)
* Add default_field option to fields.yml The number of fields in the Elasticsearch index template's `settings.index.query.default_field` option has grown over time, and is now greater than 1024 in Filebeat (Elastic licensed version). This causes queries to Elasticsearch to fail when a list of fields is not specified because there is a default limit of 1024 in Elasticsearch. This adds a new setting to fields.yml called `default_field` whose value can be true/false (defaults to true). When true the text/keyword fields are added to the `default_field` list (as was the behavior before this change). And when set to false the field is omitted from the default_field list. This adds a test for every beat to check if the default_field list contains more than 1000 fields. The limit is a little less than 1024 because `fields.*` is in the default_field list already and at query time that wildcard will be expanded and count toward the limit. Fixes #14262 * Exclude new zeek datasets from default_field list
- Loading branch information
1 parent
956f87c
commit 9f21b96
Showing
56 changed files
with
430 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
// Licensed to Elasticsearch B.V. under one or more contributor | ||
// license agreements. See the NOTICE file distributed with | ||
// this work for additional information regarding copyright | ||
// ownership. Elasticsearch B.V. licenses this file to you under | ||
// the Apache License, Version 2.0 (the "License"); you may | ||
// not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, | ||
// software distributed under the License is distributed on an | ||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
// KIND, either express or implied. See the License for the | ||
// specific language governing permissions and limitations | ||
// under the License. | ||
|
||
package template | ||
|
||
import ( | ||
"strings" | ||
"testing" | ||
|
||
"github.com/elastic/beats/libbeat/asset" | ||
"github.com/elastic/beats/libbeat/common" | ||
"github.com/elastic/beats/libbeat/template" | ||
"github.com/elastic/beats/libbeat/version" | ||
) | ||
|
||
// MaxDefaultFieldLength is the limit on the number of default_field values | ||
// allowed by the test. This is less that the 1024 limit of Elasticsearch to | ||
// give a little room for custom fields and the expansion of `fields.*`. | ||
const MaxDefaultFieldLength = 1000 | ||
|
||
// TestTemplate executes tests on the Beat's index template. | ||
func TestTemplate(t *testing.T, beatName string) { | ||
t.Run("default_field length", testTemplateDefaultFieldLength(beatName)) | ||
} | ||
|
||
// testTemplateDefaultFieldLength constructs a template based on the embedded | ||
// fields.yml data verifies that the length is less than 1000. | ||
func testTemplateDefaultFieldLength(beatName string) func(*testing.T) { | ||
return func(t *testing.T) { | ||
// 7.0 is when default_field was introduced. | ||
esVersion, err := common.NewVersion("7.0.0") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
// Generate a template based on the embedded fields.yml data. | ||
tmpl, err := template.New(version.GetDefaultVersion(), beatName, *esVersion, template.TemplateConfig{}, false) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
fieldsBytes, err := asset.GetFields(beatName) | ||
if err != nil { | ||
t.Fatal("Failed to get embedded fields.yml asset data:", err) | ||
} | ||
|
||
fields, err := tmpl.LoadBytes(fieldsBytes) | ||
if err != nil { | ||
t.Fatal("Failed to load template bytes:", err) | ||
} | ||
|
||
templateMap := tmpl.Generate(fields, nil) | ||
|
||
v, _ := templateMap.GetValue("settings.index.query.default_field") | ||
defaultValue, ok := v.([]string) | ||
if !ok { | ||
t.Fatalf("settings.index.query.default_field value has an unexpected type: %T", v) | ||
} | ||
|
||
if len(defaultValue) > MaxDefaultFieldLength { | ||
t.Fatalf("Too many fields (%d>%d) in %v index template"+ | ||
"settings.index.query.default_field for comfort. By default "+ | ||
"Elasticsearch has a limit of 1024 fields in a query so we need "+ | ||
"to keep the number of fields below 1024. Adding 'default_field: "+ | ||
"false' to fields or groups in a fields.yml can be used to "+ | ||
"reduce the number of text/keyword fields that end up in "+ | ||
"default_field.", | ||
len(defaultValue), MaxDefaultFieldLength, strings.Title(beatName)) | ||
} | ||
t.Logf("%v template has %d fields in default_field.", strings.Title(beatName), len(defaultValue)) | ||
} | ||
} |
Oops, something went wrong.