Reputation: 2183
Can I delete the message field from Logstash?
I have a basic Logstash -> Elasticsearch setup, and it turns out the 'message' field is not required after the logstash filter done its job - storing this raw message field to elasticsearch is only adding unnecessary data to storage imo.
Can I safely delete this field and would it cause any trouble to ES? advices or readings are welcome, thanks all.
Upvotes: 24
Views: 26118
Answers (3)
Reputation: 1957
I would have added the following as a comment to the answer by Ben Lim, but I do not know how to add a code block in a comment, or even whether that is possible...
If you can use a combination of input and codec that does not create a message field, then you do not need to remove it.
For example, the following combination of input and codec (JSON Lines over TCP) does not create a message field:
input {
tcp {
port => 5044
codec => json_lines
}
}
output {
elasticsearch {
hosts => ["localhost"]
document_type => "mytype"
index => "myindex"
}
}
Upvotes: 0
Reputation: 7098
You can also do this within the json filter.
filter {
json {
source => "message"
remove_field => ["message"]
}
}
Upvotes: 11
Reputation: 7890
No, it will not cause any trouble to ES. You can delete message field if it is redundant or unused.
You can add this filter to end of the filters.
mutate
{
remove_field => [ "message" ]
}
Upvotes: 38
Related Questions
- Removing grok matched field after using it
- How to change “message” value in index
- Remove Field from event by pattern
- Leave out default Logstash fields in ElasticSearch
- Logstash delete type and keep _type
- How to remove selected text from Logstash "message" field
- Remove unnecessary fields in ElasticSearch
- Remove an event field and reference it in Logstash
- How to remove an event from logstash?
- elasticsearch message field value