Make default_field: false the default for v8.0

[adriansr]

In the past, we used to add all fields to the index index.query.default_field list (see this doc for an explanation of what it does).

When Filebeat grew close to 1024 fields, we started having problems due to the limit of 1024 fields in index.query.default_field. To workaround this issue, the ability to decide whether a field must be included in the list was added (see #14262). The default_field configuration for fields was introduced, and to maintain the number of fields below 1024 it was decided to configure all new fields with default_field: false.

For 8.0, we want to change this behavior, so that all fields are excluded by default, and configure fields with default_field: true only when it's meaningful to do so (i.e. ECS fields).

[adriansr]

Here's the current size of the default_field index template setting for the different Beats:

Beat	default_field length
auditbeat	626
filebeat	567
heartbeat	382
journalbeat	309
metricbeat	794
packetbeat	657
winlogbeat	487
x-pack/auditbeat	669
x-pack/filebeat	946
x-pack/functionbeat	359
x-pack/heartbeat	382
x-pack/metricbeat	917
x-pack/osquerybeat	359
x-pack/packetbeat	657
x-pack/winlogbeat	514

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)