[Discover][Observability] Set o11y recommended fields

[flash1293]

📓 Summary

In an o11y space, the extension point introduced in https://github.com/elastic/kibana/issues/192556 should be used to set suitable recommended fields.

Which fields should be recommended is tbd.

✔ Acceptance Criteria

• Set recommended fields for the o11y logs profile

❓ Open questions

• What fields should be recommended?

[elasticmachine]

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)

[flash1293]

@LucaWintergerst could you take a pass on recommended fields? Something that's not clear to me is what we should do with technology-specific fields like kubernetes - there are the agent integration fields, otel fields, ...

[LucaWintergerst]

As a first list of candidates I'd propose

event.dataset
log.level
service.name
host.hostname

we have new telemetry in 8.16 that gives us better insights here, we can refine this over time once we have more data

[flash1293]

Agreed about event.dataset as it unifies integrations and old-school beat modules (at least that's my understanding - integrations always set data_stream.dataset and event.dataset).

About host.hostname - should this be host.name instead?

The difference is:

host.name:
It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.

host.hostname
It normally contains what the hostname command returns on the host machine.

In integrations, host.name is referenced a bit more often, but in general it would be preferable because it contains more information. E.g. of my Mac the hostname returned from hostname is just Mac, but the host.name is Joe's MacBook Pro

[flash1293]

Actually, about event.dataset - it's not optimal to use it because data_stream.dataset is mapped as constant keyword, so it will be much more performant to filter on that one instead of event.dataset, as constant keywords allow you to completely skip indices in the search.