[Fleet] Add experimental toggle for enabling doc-value-only indexing to data streams

[joshdover]

Related to #132818

Leveraging the prework done in #140095, we should add a toggle for "doc-only-value" indexing on a data stream. This should be done by updating the data stream's index template mappings so that every double and long field has index: false set.

Read more on doc-value-only fields: https://www.elastic.co/guide/en/elasticsearch/reference/8.1/doc-values.html#doc-value-only-fields

Fleet should provide two experimental toggles for opting data streams into this functionality:

1. One toggle that adds index: false to all "numeric" (e.g. double and long) mappings
2. One toggle that adds index: false to all other compatible fields (keyword, date, ip, boolean, geo_point)

Each toggle controls the settings for corresponding mappings in the data stream's index template.

At least for testing purposes, having both options would likely be helpful to gauge the storage, indexing, and query performance tradeoffs.

Interaction with index: false in package manifests

Currently, integration developers can provide index: false for various fields included in an integrations mappings. If any value is provided for the index setting (either true or false), Fleet must honor it and avoid overwriting the value. The package manifest is the source of truth for all indexing settings.

In summary:

• If index: undefined for a given field, it may be overridden by the toggle state
• If index: true | false for a given field, it may not be overridden by the toggle state

Implementation

• Create a numeric doc-values-only toggle under the "experimental indexing settings" section of the Fleet policy editor
  • When enabled, the corresponding data stream's index template mappings will include index: false for all double and long properties
  • When disabled, the index setting is unset from the index template's mappings
• Create a other doc-values-only toggle under the "experimental indexing settings" section of the Fleet policy editor
  • When enabled, mappings for keyword, date, ip, boolean, and geo_point fields are updated to provide index: false in their settings
  • When disabled, the index value for the above mapping types is unset
• Both toggles do not override existing index settings as provided by the given package's manifest

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[ruflin]

If I set index: false in my fields.yml today in the integration, will Fleet respect it? @jsoriano This is different from the toggle proposed here which we should have also in addition but I can see the two play together / compete with each other. Even if there is some generic logic or translation of the mappings to use index: false, what is defined in the package itself per field must be respected.

[kpollich]

@ruflin - I think index: false is supported as of #145410, but my understanding might be a little shallow. Does this look like it does what you need?

[ruflin]

I did run a quick test run and index: false currently works as expected.

fields.yml

    - name: foo.bar
      type: long
      index: false
      description: |
        Test field.  

Resulting template:

"foo": {
  "properties": {
    "bar": {
      "index": false,
      "type": "long"
    }
  }
},

#145410 implies that the feature is supported, I assume it has been for a while. This is good.

During implementation of this issue we must ensure to have logic in place to not overwrite these values if they are set. Something like:

• index:* not set: Fleet UI controls the outcome of the field
• index:false or index:true: Values are kept even if toggle in the UI for this field

Same applies to doc_values field.

[joshdover]

@kpollich can we update this issue to reflect the remaining work and how the toggle and package spec fields should work together?

[kpollich]

@joshdover - Made some updates to the description above. Let me know if this accurate based on your's and @ruflin's comments above and elsewhere.

[ruflin]

Most important for me is, whoever takes on this task is not just checking the exact spec described in this issue for implementation but checks against Elasticsearch docs what fields are supported, which ones not and why. I want to make sure we don't miss some fields that we forgot to put into the issue or have changed since the issue was written.

[juliaElastic]

@joshdover @ruflin @kpollich These switches are reversible, right? So if enabled, can they be changed back?

[ruflin]

AFAIK yes. But I assume it requires a rollover to take effect.

[juliaElastic]

We could add a tooltip or link to the docs to remind the users that rollover is needed.

[joshdover]

There's a dedicated issue for this open: #143448, prioritized for a 2 sprints from now.

[juliaElastic]

@ruflin @joshdover The docs are a little confusing whether this list is an exhaustive list that supports doc-value-only:
"Numeric types, date types, the boolean type, ip type, geo_point type and the keyword type can also be queried".

I am wondering if by date types, do we mean only date or date_nanos as well?

Later the doc says that wildcard doesn't support this feature. I wonder if this means that all other types are supported.
"You cannot disable doc values for wildcard fields."

I guess I could go through all existing types to check, alternatively check if the mapping type has index field in the code.