Enhance mapping explosion documentation in Elasticsearch #4539
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Expanded explanation of mapping explosion in Elasticsearch, including its causes, symptoms, and how to check for issues. - Added details on the default field limit and its implications for performance. - Replaced the intro to avoid the curse of knowledge (intro assumed customer's knew what mappings and field types were).
Contributor
Vale Linting ResultsSummary: 4 suggestions found 💡 Suggestions (4)
|
Contributor
🔍 Preview links for changed docs |
yetanothertw
reviewed
Jan 7, 2026
Contributor
yetanothertw
left a comment
yetanothertw
left a comment
There was a problem hiding this comment.
Thank you for making these changes, they look great!
I've left a couple of small style suggestions for your consideration.
Co-authored-by: Vlada Chirmicci <[email protected]>
Co-authored-by: Vlada Chirmicci <[email protected]>
Co-authored-by: Vlada Chirmicci <[email protected]>
stefnestor
reviewed
Jan 7, 2026
stefnestor
reviewed
Jan 7, 2026
| To confirm the field totals of an index to check for mapping explosion: | ||
|
|
||
| * Check {{es}} cluster logs for errors `Limit of total fields [X] in index [Y] has been exceeded` where `X` is the value of `index.mapping.total_fields.limit` and `Y` is your index. The correlated ingesting source log error would be `Limit of total fields [X] has been exceeded while adding new fields [Z]` where `Z` is attempted new fields. | ||
| * Check {{es}} cluster logs for errors similar to `Limit of total fields [X] in index [Y] has been exceeded` where `X` is the value of `index.mapping.total_fields.limit` and `Y` is your index. The correlated ingesting source log ({{beats}}, {{agent}}, or {{ls}} logs) error would be `Limit of total fields [X] has been exceeded while adding new fields [Z]` where `Z` is attempted new fields. |
Contributor
There was a problem hiding this comment.
- IMO calling out Agent where Elastic-mainly controls the pipeline/integration suggests poor form of us pushing a product issue onto them.
- We frequently use ingesting
client-sideforthe correlated ingesting source log. - Also worth calling out here/above that this error also contains HTTP
400andmapper_parsing_exceptionwhich is what users more commonly google.
Contributor
Author
There was a problem hiding this comment.
- My apologies if that was the read. I was not intending to push a product issue on to the customer. Was trying to better describe where you would see the error.
- The intent was to call out what the error would look like as the original "correlated ingesting source log" reference seemed a bit vague i.e. could we be saying their Kafka, in-house application, code client libraries, etc. would have that error message? So thought calling it out implicitly what products would have that message. Is there an in-house writer's bible I could read up on more of these nomenclatures, like
client-side?
EDIT: doh meant explicitly instead of implicitly.
Contributor
There was a problem hiding this comment.
- Totally no worries! Sorry, not trying to call you out vs I think our KBs do that widespread 🙂
- I think the team's currently revamping this doc but am unsure where this glossary would be so was just FYI
- (leaving placeholder)
Suggested change
| * Check {{es}} cluster logs for errors similar to `Limit of total fields [X] in index [Y] has been exceeded` where `X` is the value of `index.mapping.total_fields.limit` and `Y` is your index. The correlated ingesting source log ({{beats}}, {{agent}}, or {{ls}} logs) error would be `Limit of total fields [X] has been exceeded while adding new fields [Z]` where `Z` is attempted new fields. | |
| * Check {{es}} cluster logs for errors similar to `Limit of total fields [X] in index [Y] has been exceeded` where `X` is the value of `index.mapping.total_fields.limit` and `Y` is the index name. The correlated client-side ingesting source HTTP 400 `mapper_parsing_exception` log error would be `Limit of total fields [X] has been exceeded while adding new fields [Z]` where `Z` is attempted new fields. |
stefnestor
reviewed
Jan 7, 2026
stefnestor
reviewed
Jan 7, 2026
Co-authored-by: Stef Nestor <[email protected]>
Co-authored-by: Stef Nestor <[email protected]>
Co-authored-by: Stef Nestor <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
As part of @stefnestor 2026 Support KB alignment project took the latest information on mapping explosions and filled in to our existing troubleshooting documentation.
Generative AI disclosure