Is there any way to set a default field for an index, such that when a user types an expression in kibana discover, the query will be to that default field and not every field in the index?
I'm looking all over the documentation but cannot seem to find where this done in index creation, mapping, etc.
I'm not sure I understand this use case well enough, but this is not currently supported. We do welcome feature requests in the Kibana repository, and the more you can describe about your use case the better.
My opinion here is that we would probably not build a "default field" setting, but there is probably a way to improve the UX of field selection that would also solve your concerns.
Isn't that what the index.query.default_field setting does? We had user reported problems after our 6.x to 7.x migration. Users typed a query in Kibana without a field name, in 6.8 it seemed to match any field in the index, in 7.x, index.query.default_fieldappeared to be honored and fields that weren't listed weren't search, so what had worked for them before now failed.
The winlogbeat template didn't include any event_data fields, so it was very noticeable. We updated index settings and templates adding fields to fix the issue.
Len explained our concerns exactly. We don't want any queries going over the entire index field-list (for performance purposes). So we're trying to define the default field in case a user doesn't note the field in their query.
What version are you using?
We have a 6.8.5 and a 7.5.1 ElasticSearch.
This link explains it but as you can see, is experimental for ElasticSearch. It may be that the development is unfinished and never made it as a permanent feature?
https://www.elastic.co/guide/en/kibana/6.8/upgrade-assistant-api-default-field.html
I'm not sure if it's trying to say the Elasticsearch default_field implementation is experimental or if setting the default_field index via kibana is experimental.
I think if you test, you will see different behavior between 6.x and 7.x.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.