Hi,
I just wanted to ask if the the double indexed versions of string fields (as text and as keyword) do they count as 2 fields against the maximum count of fields which defaults to 1000?
So, if I just have events containing text fields, can I in fact only have 500 different fields per index or is it still 1000 without chaning the default?
Cheers,
Thomas
Hi,
I just built a testing environment and yes, a field of type string counts as two fields.
Here is what I built:
# for i in $(seq 1 1500); do for j in $(seq 1 $i) ; do echo -n "foo$j=bar " ; done ; echo ; done > /tmp/maximumfieldtest
(I used 1500 as maximum so that it will definitely break.)
I sent the output through the following:
input {
file {
path => "/tmp/maximumfieldtest"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
kv {}
}
output {
elasticsearch {
index => "maxmimumfield"
hosts => [ "http://127.0.0.1:9200"]
}
}
And it indexed 495 events. So there seems to be 5 fields "overhead" (like @timestamp) and I can index 495 additional fields.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
