Hi CJ, thanks for asking the team. I ended up bumping max_docvalue_fields_search for now and that has worked out.
I think mapping them to strings is the next best option, and that's what I'll probably do when the next time this comes up. I really wanted to avoid having to create mappings manually though, since the schema is pretty arbitrary.
As for using a single index pattern, I do usually want my query to hit all indexes in Kibana. The events are usually for the same domain object, but within different stages of its life cycle, so querying by some common fields is good for reconstructing a sequence of events across systems. I believe that with a single query, I can only query one index pattern?
Why is there no way to limit which fields get queried as doc values in Kibana?