What if I don't set index.query.default_field?

Our cluster is still running Elasticsearch 6.8, so I'm looking at getting it upgraded to Elasticsearch 7. The Kibana Upgrade Assistant is flagging a couple of hundred indices with this message

This index has [4234] fields, which exceeds the automatic field expansion limit of 1024 and does not have [index.query.default_field] set, which may cause queries which use automatic field expansion, such as query_string, simple_query_string, and multi_match to fail if fields are not explicitly specified in the query.

The warning message says that queries "may" fail. Which I take to mean they may not fail. I can't find information about what exactly failure means in this context, (unexpected results? an error message? both? other?) or what would determine if a search fails or not.

If, with Elasticsearch 7, someone tries to do a search in Kibana on an index with 4234 fields without specifying a field and index.query.default_field isn't set, what might happen?

Essentially, how about if instead of having conversations with people about what index.query.default_field should be set to on various indices, I just ignore the warning?

Elasticsearch 6.8 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

Basically, you may get no results.

What determines whether you do or do not get results? Does Elasticsearch somehow choose 1024 out of however many fields there are and do the search on those and if what you'll looking for is in one of those 1024 you get results, otherwise you don't?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.