Elastic/Kibana vs: 6.7.1
I'm searching for solution for fixing mapping explosion in index pattern. Indices under this contains logs from Winlogbeat. There is one problematic field: Pipelineexecutiondetailsforcommandline, which I guess because of wrong parsing creates thousands of subfields, for example: Pipelineexecutiondetailsforcommandline:$Module
Pipelineexecutiondetailsforcommandline:$PublishedDate
Pipelineexecutiondetailsforcommandline:$TestFileCatalogResult, etc,
some of them contains hardcoded data. I can disable totally this field from mapping in the future (but it can't be performed on Logstash, all information have to stay).
Some additional info:
-
There are many indices (present and from past) which I use under the same index pattern.
-
New indices are created using ILM rollover mechanism.
-
I know mapped field can't be deleted.
-
I know about reindexing, but there are too many indices to perform this action.
-
Dynamic mapping is ofc enabled. I want to stay this way, but only figure out how to erase problem with this one field and its subfields.
-
I was wondering if matching name of this field using "match", some sort of regex and setting "enable:false" in _template will do the work?
In summary, I assume if solution exist it can only be applicable to newly created indices, but I don't know what steps to perform or what to check next. Also, if some solution will do the work and mapping will be fixed, what about index pattern for future indices? They [indices] will have the same name convention as before (for example: now is: winlogbeat-2020-*, which match indices names) and I would like to stay this way.
What are my possibilities?
If you need any more information I will try to deliver it as soon as possible.
Thank you in advance.