LogsDB: Add synthetic_source_keep = none to arrays where order/duplicates do not matter

For array fields treated as unordered sets, we should add `synthetic_source_keep: "none"` to the mappings to optimize storage under LogsDB. Fields like `host.ip` and `related.ip` would be candidates because order and duplicates are irrelevant.

Adding this option prevents the array field from being stored in `_source`.

Support for this is in-progress in Elasticsearch and will be first available in 8.16.

### References
- https://github.com/elastic/elasticsearch/blob/a2df7e7229e772eddc9a8aba2ecfdbd162810c78/server/src/main/java/org/elasticsearch/index/mapper/Mapper.java#L33
- https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html#synthetic-source-keep

### Related
- #2372 (no longer relevant as we switched to an opt-in model for array optimization in logsdb)

```[tasklist]
- [ ] https://github.com/elastic/ecs/pull/2422
- [ ] Update [ecs@mappings](https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/template-resources/src/main/resources/ecs%40mappings.json) dynamic template in elastic/elasticsearch
- [ ] https://github.com/elastic/package-spec/issues/861
- [ ] https://github.com/elastic/integrations/issues/12485
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LogsDB: Add synthetic_source_keep = none to arrays where order/duplicates do not matter #2376

References

Related

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

LogsDB: Add synthetic_source_keep = none to arrays where order/duplicates do not matter #2376

Description

References

Related

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions