Currently our elastic cluster ( running v5.2.2) handle about 60,000 syslogs and traps per hour. We have a significant amount of traps with long object identifiers of the form "1.2.3.4.5.6". These get expanded into a JSON object 1:{"properties":{2:"properties"... and so on in the mapping. Some of our traps are lengthy and also there is a significant number of different object identifiers which makes us hit the index.mapping.total_fields.limit pretty quickly after which point most of our traps are not indexed. Increasing this limit temporarily helps us, but it is not a clean solution.
We are also currently looking at solution like de_dot and others. But if there is way in elastic search not to expand the field names with dot in them, it will be really great. Any pointers would be great!
3 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.