Dear All,
I hope you can give me some advice on the best way to reduce the number of fields created.
Let me begin with the overview of the design: VMware ESXI hosts are sending Neflow v10 (IPFX) to Filebeat forwarding the data to ELK ingest nodes.
I checked the filebeat-* index created and that shows 5287 fields created and that doesn't seem to be optimal. Then I checked fields.yml and now I see why there are many seemingly unnecessary fields.
What do you think would be the best approach to optimize the number of fields for Netflow usage only? The reason why I'd like to do it: to meet the recommendation to have maximum 1000 fields in the first place, secondly to reduce the index size.
Hi,
Really good question, I look forward to see an answer if any 
Map explosion is something to be care of, and yes, filebeat having an index patter of over 5287 fields seems scary.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.