Synthetic Source Issue with Text Fields

[gpop63]

ES version: 8.15.2

Tried installing an integration and its mappings via fleet.

An illegal_argument_exception occurs when trying to use source_mode: synthetic with fields of type text. This happens because text fields don't support synthetic source unless they are stored or have a keyword sub-field with doc_values.

illegal_argument_exception Root causes: illegal_argument_exception: field [panw.system.thermal.description] of type [text] doesn't support synthetic source unless it is stored or has a sub-field of type [keyword] with doc values or stored and without a normalizer

[tommyers-elastic]

it looks like this should have been resolved via https://github.com/elastic/elasticsearch/pull/106338, was something missed there?

[martijnvg]

If you use synthetic source outside of tsdb or logsdb, then this hasn't been resolved yet. #106338 only addressed this if index mode is set to either time_series or logsdb.

This issue should be resolved relatively soon. As we plan to change how synthetic source gets configured. Today this is done via a mapping attribute on the _source field mapping. We are going to introduce an index setting that will control the source mode. When that change is in, then we more easily apply better synthetic source default behavior for text field store attribute (and other field types).

[elasticsearchmachine]

Pinging @elastic/es-storage-engine (Team:StorageEngine)

[lkts]

In 8.17 this will work if using index.mapping.source.mode setting.