Description
In the current metricbeat index template, the ignore_above limit is set as 1024. This is consistently passed in the system.process.cmdline field by Elasticsearch itself (on Windows).
A typical cmdline for ES on windows looks something like this:
"C:\Program Files\Java\jdk1.8.0_121\bin\java.exe" -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=C:\Users\ratonbox\AppData\Local\Temp\elasticsearch -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:logs/gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=32 -XX:GCLogFileSize=64m -Delasticsearch -Des.path.home="C:\Users\ratonbox\Desktop\elasticsearch-6.4.0" -Des.path.conf="C:\Users\ratonbox\Desktop\elasticsearch-6.4.0\config" -Des.distribution.flavor="default" -Des.distribution.type="zip" -cp "C:\Users\ratonbox\Desktop\elasticsearch-6.4.0\lib\*" "org.elasticsearch.bootstrap.Elasticsearch"
which has 1126 characters.
This makes the whole field unsearchable, without the user really being aware of it.