Elasticsearch Output and the raw field

elvarb · May 15, 2015, 1:54pm

Now that the elasticsearch output no longer gives you a message.raw field by default

From the changelog

Logstash does not create a "message.raw" by default whic is usually not_analyzed; this helps save disk space (#11)
Logstash will not create a message.raw field by default now. Message field is not_analyzed by Elasticsearch and adding a multi-field was essentially doubling the disk space required, with no benefit

The issue goes into enabling it again by modifying the default mapping though.

And this issue shows the method

How would I go about disabling the .raw field for other large fields?

warkolm · May 15, 2015, 10:11pm

You need to alter the mapping in Elasticsearch and then just remove those fields.

curl localhost:9200/_template/logstash to get the existing mapping template.

Topic		Replies	Views
How to create message.raw field to be analyzed Elasticsearch	2	1229	July 5, 2017
Message.raw in logstash 2 Logstash	6	1723	July 6, 2017
Kibana .raw fields and "message" field Logstash	9	13994	July 6, 2017
Documentation for the raw field Logstash	6	611	January 9, 2018
Logstash Elasticsearch output - one field only Logstash	6	752	November 10, 2022