Disable default for all fields introduced in ECS 1.3.x

This is so that Beats' default_fields don't go above 1000 field limit.

generated/beats/fields.ecs.yml

@@ -1000,6 +1000,7 @@
         In normal conditions, assuming no tampering, the timestamps should chronologically
         look like this: `@timestamp` < `event.created` < `event.ingested`.'
       example: 2016-05-23 08:05:35.101000
+      default_field: false
     - name: kind
       level: extended
       type: keyword
@@ -1401,6 +1402,7 @@
         \ on Windows this could be the host's Active Directory domain or NetBIOS domain\
         \ name.  For Linux this could be the domain of the host's LDAP provider."
       example: CONTOSO
+      default_field: false
     - name: geo.city_name
       level: core
       type: keyword
@@ -2136,6 +2138,7 @@
 
         For example use the commit SHA of a non-released package.'
       example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+      default_field: false
     - name: checksum
       level: extended
       type: keyword
@@ -2187,6 +2190,7 @@
       description: Home page or reference URL of the software in this package, if
         available.
       example: https://golang.org
+      default_field: false
     - name: size
       level: extended
       type: long
@@ -2202,6 +2206,7 @@
         This should contain the package file type, rather than the package manager
         name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
       example: rpm
+      default_field: false
     - name: version
       level: extended
       type: keyword
@@ -2342,6 +2347,7 @@
         The field should be absent if there is no exit code for the event (e.g. process
         start).'
       example: 137
+      default_field: false
     - name: parent.name
       level: extended
       type: keyword
@@ -2363,6 +2369,7 @@
       format: string
       description: Process id.
       example: 4242
+      default_field: false
     - name: parent.ppid
       level: extended
       type: long

generated/ecs/ecs_flat.yml

@@ -1337,6 +1337,7 @@ event.id:
   short: Unique ID to describe the event.
   type: keyword
 event.ingested:
+  beats.default_field: false
   description: 'Timestamp when an event arrived in the central data store.
 
     This is different from `@timestamp`, which is when the event originally occurred.  It''s
@@ -1908,6 +1909,7 @@ host.architecture:
   short: Operating system architecture.
   type: keyword
 host.domain:
+  beats.default_field: false
   description: "Name of the domain of which the host is a member. \nFor example, on\
     \ Windows this could be the host's Active Directory domain or NetBIOS domain name.\
     \  For Linux this could be the domain of the host's LDAP provider."
@@ -3023,6 +3025,7 @@ package.architecture:
   short: Package architecture.
   type: keyword
 package.build_version:
+  beats.default_field: false
   description: 'Additional information about the build version of the installed package.
 
     For example use the commit SHA of a non-released package.'
@@ -3106,6 +3109,7 @@ package.path:
   short: Path where the package is installed.
   type: keyword
 package.reference:
+  beats.default_field: false
   description: Home page or reference URL of the software in this package, if available.
   example: https://golang.org
   flat_name: package.reference
@@ -3126,6 +3130,7 @@ package.size:
   short: Package size in bytes.
   type: long
 package.type:
+  beats.default_field: false
   description: 'Type of package.
 
     This should contain the package file type, rather than the package manager name.
@@ -3325,6 +3330,7 @@ process.parent.executable:
   short: Absolute path to the process executable.
   type: keyword
 process.parent.exit_code:
+  beats.default_field: false
   description: 'The exit code of the process, if this is a termination event.
 
     The field should be absent if there is no exit code for the event (e.g. process
@@ -3360,6 +3366,7 @@ process.parent.pgid:
   short: Identifier of the group of processes the process belongs to.
   type: long
 process.parent.pid:
+  beats.default_field: false
   description: Process id.
   example: 4242
   flat_name: process.parent.pid

generated/ecs/ecs_nested.yml

@@ -1549,6 +1549,7 @@ event:
       short: Unique ID to describe the event.
       type: keyword
     ingested:
+      beats.default_field: false
       description: 'Timestamp when an event arrived in the central data store.
 
         This is different from `@timestamp`, which is when the event originally occurred.  It''s
@@ -2205,6 +2206,7 @@ host:
       short: Operating system architecture.
       type: keyword
     domain:
+      beats.default_field: false
       description: "Name of the domain of which the host is a member. \nFor example,\
         \ on Windows this could be the host's Active Directory domain or NetBIOS domain\
         \ name.  For Linux this could be the domain of the host's LDAP provider."
@@ -3397,6 +3399,7 @@ package:
       short: Package architecture.
       type: keyword
     build_version:
+      beats.default_field: false
       description: 'Additional information about the build version of the installed
         package.
 
@@ -3482,6 +3485,7 @@ package:
       short: Path where the package is installed.
       type: keyword
     reference:
+      beats.default_field: false
       description: Home page or reference URL of the software in this package, if
         available.
       example: https://golang.org
@@ -3503,6 +3507,7 @@ package:
       short: Package size in bytes.
       type: long
     type:
+      beats.default_field: false
       description: 'Type of package.
 
         This should contain the package file type, rather than the package manager
@@ -3715,6 +3720,7 @@ process:
       short: Absolute path to the process executable.
       type: keyword
     parent.exit_code:
+      beats.default_field: false
       description: 'The exit code of the process, if this is a termination event.
 
         The field should be absent if there is no exit code for the event (e.g. process
@@ -3750,6 +3756,7 @@ process:
       short: Identifier of the group of processes the process belongs to.
       type: long
     parent.pid:
+      beats.default_field: false
       description: Process id.
       example: 4242
       flat_name: process.parent.pid

schemas/event.yml

@@ -283,6 +283,7 @@
       type: date
       short: Timestamp when an event arrived in the central data store.
       example: 2016-05-23T08:05:35.101Z
+      beats.default_field: false
       description: >
         Timestamp when an event arrived in the central data store.
 

schemas/host.yml

@@ -83,6 +83,7 @@
     - name: domain
       level: extended
       type: keyword
+      beats.default_field: false
       short: Name of the directory the group is a member of.
       description: >
         Name of the domain of which the host is a member. 

schemas/package.yml

@@ -24,6 +24,7 @@
     - name: build_version
       level: extended
       type: keyword
+      beats.default_field: false
       short: Build version information
       description: >
         Additional information about the build version of the installed package.
@@ -86,6 +87,7 @@
     - name: reference
       level: extended
       type: keyword
+      beats.default_field: false
       short: Package home page or reference URL
       description: >
         Home page or reference URL of the software in this package, if available.
@@ -94,6 +96,7 @@
     - name: type
       level: extended
       type: keyword
+      beats.default_field: false
       short: Package type
       description: >
         Type of package.

schemas/process.yml

@@ -38,6 +38,7 @@
       format: string
       level: core
       type: long
+      beats.default_field: false
       description: >
         Process id.
       example: 4242
@@ -308,6 +309,7 @@
       level: extended
       type: long
       example: 137
+      beats.default_field: false
       short: The exit code of the process.
       description: >
         The exit code of the process, if this is a termination event.