After a vanilla install of metricbeat on an EC2 instance, I enabled the system module in
metricbeat.yml. I did not modify
fields.yml, and after turning on metricbeat, I now see a huge number of fields in my index pattern:
I understand that I can modify
fields.yml to change what fields metricbeat tells elasticsearch about the index. There are a few questions that remain unanswered in the docs however:
- What are the performance implications of having so many fields defined this way? There is no data for most of these fields in any of the matching indices.
- Is there an easy way to manage
fields.ymlto only send info on fields that are used in currently enabled modules? I can technically edit
fields.ymlbut editing a 10,000-line file is pretty onerous.