Export generates wrong default field, lot of "text" duplicities #16891

vbohata · March 8, 2020, 10:04pm

I noticed a lot of versions of beats generate wrong index templates. For example in 7.6.1 using "./filebeat export template" I get this in default_field section:

...
"process.args",
"text",
"process.executable",
"process.hash.md5",
"process.hash.sha1",
"process.hash.sha256",
"process.hash.sha512",
"process.name",
"text",
"text",
"text",
"text",
"text",
"process.thread.name",
...

It looks like it takes field type instead of field name for text fields ... Maybe related to multi fields.

mtojek · March 9, 2020, 8:18am

Hi @vbohata,

could you please share the content of your template to let me take a look at this? If you used the original template, could you please name them here?

vbohata · March 9, 2020, 9:26am

I did not change anything. I use just everything as is in the package itself.
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.1-linux-x86_64.tar.gz
tar -xf filebeat-7.6.1-linux-x86_64.tar.gz
cd filebeat-7.6.1-linux-x86_64/
./filebeat export template

mtojek · March 9, 2020, 9:51am

I suppose this in an outcome of introducing multi_fields. Does it harm your installation/pipeline in any way? Caused any errors?

vbohata · March 9, 2020, 6:41pm

No, everything seems working. I also use increased value for ES max clause count because we use not only beats templates, but also our. But in general this bug can lead to hitting default clause count limit for people using just beats templates because ... if multi field values are not meant to be part of default fields, they are useless. If it is expected for multi fields to be part of default fields it means this is not working this way ...

system · April 6, 2020, 8:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.