I've found some code where applications are purposefully logging JSON instead of a message and inside that JSON logging a string into a field called raw.
My understanding is that raw is normally autocreated and we're limiting our query abilities by writing directly to it. Is that right? Is the raw field documented somewhere so I can support my request for change?
I've found some code where applications are purposefully logging JSON instead of a message and inside that JSON logging a string into a field called raw.
Can you show an example so it's clear exactly what we're talking about?
My understanding is that raw is normally autocreated and we're limiting our query abilities by writing directly to it. Is that right? Is the raw field documented somewhere so I can support my request for change?
You can certainly name fields raw; they won't collide with the .raw or .keyword subfields exposed in Elasticsearch (depending on the index's mappings). To understand the different between fields x and x.keyword read what the ES documentation says about text and keyword fields.
Thanks for replying 
so the JSON sent to logstash would be like
{ @timestamp: "2017-04-01etc", message: { raw: "some text" }}That's not valid JSON, but yes, structure-wise that should be okay.
Yep, wrote it by hand for example purposes 
So, in that scenario because message.raw is a string field we'd have ended up with message.raw.raw?
Yes, if it's an analyzed string field (ES prior to 5.0) or a text field (ES 5+).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.