I have an index that is all metrics.
I have disabled _source and _all for entries in this index.
I have verified that I can do aggregate queries against this index.
I am assuming that kibana only cares about is the returned aggregation information and doesn't care about source.
I'm struggling to determine any upside for keeping _source around for a metric index.
Not only do I plan to visualize my data using Kibana, but I also intend to do ad-hoc queries against my data. When I disable _source, I find that I can still get ad-hoc search results by adding a fielddata_fields child to the _search endpoint.
I use a search syntax like this:
GET /access-log-lines/v1/_search
{
"query": {
"bool": {
"must": {
"prefix": {
"http.request.host": "www.example.com"
}
},
"must_not": {
"match": {
"http.request.UA.name": "Chrome"
}
}
}
},
"fielddata_fields": [
"http.request.UA.name"
]
}
I get output from that ad-hoc (non-aggregate) search query that looks like this:
...
{
"_index": "access-log-lines",
"_type": "v1",
"_id": "314159",
"_score": 1.0,
"fields": {
"http.request.host": [
"www.example.com"
],
"http.request.UA.os_name": [
"Other"
]
}
},
...