I'm struggling trying to figure out how to convert from the way we used legacy templates to the new index and component templates. I used to add our own templates with higher priority on top of the supplied filebeat template.
Then I read about mapping explosion and that the default limit for index fields is 1000. The filebeat template I just loaded for 7.16.2 for the Elasticsearch and logstash module results in an index with over 6500 fields.
If component templates are the wave of the future, could Elastic break the supplied filebeat template into components for mapping group, like activemq, agent, apache, auditd, aws-cloudwatch, aws-cloudtrail and so on. Then we could include the parts we want with our indices and reduce the excessive field count?