Fields count in elasticsearch indice

malcolm666 · December 9, 2020, 2:23pm

Hi.
I have elasticsearch, Grafana and some beats deployed in k8s. Version is 7.6.1.
There are some fields from my configuration:

# env values
      - env:
        - name: cluster.name
          value: k8s-logs
        - name: node.name
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: discovery.seed_hosts
          value: es-cluster-0.elasticsearch,es-cluster-1.elasticsearch,es-cluster-2.elasticsearch
        - name: cluster.initial_master_nodes
          value: es-cluster-0,es-cluster-1,es-cluster-2
        - name: ES_JAVA_OPTS
          value: -Xms7g -Xmx7g
        - name: ELASTIC_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: elasticsearch-password
        - name: http.max_header_size
          value: 20000kb
        - name: xpack.security.enabled
          value: "true"
        - name: xpack.security.transport.ssl.enabled
          value: "true"
        - name: xpack.security.transport.ssl.verification_mode
          value: certificate
        - name: xpack.security.transport.ssl.keystore.path
          value: /usr/share/elasticsearch/config/elastic-certificates.p12
        - name: xpack.security.transport.ssl.truststore.path
          value: /usr/share/elasticsearch/config/elastic-certificates.p12
        - name: xpack.monitoring.collection.enabled
          value: "true"
        - name: xpack.monitoring.elasticsearch.collection.enabled
          value: "false"

# resources
        resources:
          limits:
            cpu: "3"
            memory: 14Gi
          requests:
            cpu: "3"
            memory: 14Gi

All works good. We have one index pattern (filebeat-*) in kibana with huge mount of fields (62000 fields)
Kibana works very slow when opening setting of this index pattern and when opening the dashboard that uses this index pattern.
So... Please, help me understand the issue. Is it "normal" to have so many fields in index pattern?

warkolm · December 9, 2020, 10:37pm

What version(s) of the stack are you using?

malcolm666 · December 10, 2020, 6:31am

I wrote it in my message
7.6.1

warkolm · December 10, 2020, 6:32am

For the entire stack - Elasticsearch, Kibana and beats?

malcolm666 · December 10, 2020, 6:32am

Sure

warkolm · December 10, 2020, 6:33am

Ok, what modules are you loading in Beats?

malcolm666 · December 10, 2020, 6:37am

For filebeat I am using two versions - 6.8.12 (deployed outside of k8s) and 7.6.1 (inside of k8s).
So much fields are generated in 6.8.12 version of filebeat. This filebeat uses log as input without modules.
The problem is not with beat. I am just asking about fields count.

warkolm · December 10, 2020, 6:40am

Yeah but Filebeat is generating these fields, so it's a relevant area.

It's not really normal to have an index with that many fields. I don't know if this situation improved in later versions, but let me move this over to Beats and see if anyone can help.

malcolm666 · December 10, 2020, 6:41am

Thanks! Will wait for answer

warkolm · December 10, 2020, 6:42am

system · January 7, 2021, 6:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.