Hi, I upgraded our nominally working 5.6.4 ELK stack to 6.1.4 (ES, logstash, and Kibana). We did not use xpack before, and we are not yet using xpack on this 6.1.4 upgrade (we have a license, but haven't installed it yet...still figuring out that part). We keep 30 days worth of indexes, and create a new index daily (named logstash-YYYY-MM-DD). Our default index is "logstash-*".
We used to be able to search for random strings without specifying a field and it would find things in a reasonable time frame, a few seconds. Now in 6.1.4, if we search for a string, such as "6d0aed01-4201-3cb9-9925-1c9555540c09" over the last 7 days, the search times out after 30 seconds. If we search for message:"6d0aed01-4201-3cb9-9925-1c9555540c09" over that 7 days, it finds and returns the result set relatively quickly. Search behavior changed something specifically around fieldless searches when upgrading from Kibana 5.x to Kibana 6.x.
I've been googling a lot and read that the _all field is no longer automatically in 6.x.
Do I need to create a new _all field? The page https://www.elastic.co/guide/en/elasticsearch/reference/6.1/mapping-all-field.html seems to imply that it's deprecated, which means to me I shouldn't use it.
I've also read something about "all_fields: true", but it doesn't make sense yet where that might actually be used.
Googling also led me to look at my default search field, currently set to *. I considered setting the default search field to "message", but then it won't find strings in the other fields (the way it used to in 5.6.x searches).
What do I have to add/set up to get the same fieldless search behavior I had in 5.6.x searches?
I'm not sure what to do here. I think I want whatever is the equivalent of the _all field in 6.x.x, but I'm not sure exactly what that would be. Can I get some hints and suggestions please?