Increase total fields limit from 2000 to 2500#2584
Merged
Conversation
# ECS 9.3.0 Specification Analysis ## Total Field Count | Version | Fields | Multi-fields | Total | |---------|--------|--------------|-------| | v9.3.0 | 2,141 | 123 | **2,264** | | v9.0.0 | 1,848 | 91 | **1,939** | | **Delta** | **+293** | **+32** | **+325 (16.8%)** | ## Special Field Types | Type | v9.0.0 | v9.3.0 | Change | |------|--------|--------|--------| | `object` (container/grouping) | 15 | 90 | +75 (+500%) | | `nested` (array-type) | 25 | 28 | +3 | | Fields with `multi_fields` | 91 | 123 | +32 | ## New Field Sets in v9.3.0 | Field Set | Fields | |-----------|--------| | `entity` | 26 | | `gen_ai` | 26 | | **Total** | **52** | ## Field Sets with Significant Growth | Field Set | v9.0.0 | v9.3.0 | Growth | % Change | |-----------|--------|--------|--------|----------| | `user` | 46 | 116 | +70 | +152% | | `host` | 42 | 110 | +68 | +162% | | `cloud` | 33 | 72 | +39 | +118% | | `service` | 33 | 72 | +39 | +118% | | `orchestrator` | 15 | 28 | +13 | +87% | | `device` | 5 | 10 | +5 | +100% | | `process` | 389 | 391 | +2 | +0.5% | | `threat` | 435 | 437 | +2 | +0.5% | ## Largest Field Sets (v9.3.0) | Field Set | Fields | % of Total | |-----------|--------|------------| | `threat` | 437 | 19.3% | | `process` | 391 | 17.3% | | `file` | 144 | 6.4% | | `user` | 116 | 5.1% | | `host` | 110 | 4.9% | | `tls` | 77 | 3.4% | | `cloud` | 72 | 3.2% | | `service` | 72 | 3.2% | | `dll` | 46 | 2.0% | | `observer` | 41 | 1.8% | ## Summary - **54 total field sets**: 2 new, 6 with growth, 46 unchanged - **Growth drivers**: new field sets (`entity`, `gen_ai`) account for 52 fields; existing field set expansions (`user`, `host`, `cloud`, `service`, `orchestrator`, `device`) account for 241 fields; 32 new multi-field variants - The `object` type count jumped from 15 to 90 — these are the entity sub-objects added to `user`, `host`, `cloud`, `service`, and `orchestrator` for the new `entity` reuse pattern - The current composable template ships with `total_fields.limit: 2000`, which is insufficient for the 2,264 fields in v9.3.0
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
Member
Like having an ecs_process and ecs_threat component template available to pick and choose as needed? That the idea? |
andrewkroh
approved these changes
Feb 18, 2026
trisch-me
approved these changes
Feb 19, 2026
Contributor
|
That’s a nice catch, we should probably have this automated |
Contributor
|
Great catch @Mpdreamz ! I saw the build was failing due to not having generated some of the artifacts, so I took care of that and added a changelog entry. You should now be good to merge whenever you're ready |
Member
Author
|
Ty @kgeller! |
Contributor
|
@kgeller I think this might be one of low hanging fruits to add for agent check |
Contributor
|
@trisch-me 100%. I think it fits very nicely into the "Scheduled repo audits" part of the section 2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ECS 9.3.0 Specification Analysis
Total Field Count
Special Field Types
object(container/grouping)multi_fieldsNew Field Sets in v9.3.0
entitygen_aiField Sets with Significant Growth
userhostcloudserviceorchestratordeviceprocessthreatLargest Field Sets (v9.3.0)
threatprocessfileuserhosttlscloudservicedllobserverSummary
entity,gen_ai) account for 52 fields; existing field set expansions (user,host,cloud,service,orchestrator,device) account for 241 fields; 32 new multi-field variantsobjecttype count jumped from 15 to 90 — these are the entity sub-objects added touser,host,cloud,service, andorchestratorfor the newentityreuse patterntotal_fields.limit: 2000, which is insufficient for the 2,264 fields in v9.3.0We should probably look into generating mapping templates instead, so users only map the fields they actually use.