Now that the elasticsearch output no longer gives you a message.raw field by default
From the changelog
- Logstash does not create a "message.raw" by default whic is usually not_analyzed; this helps save disk space (#11)
- Logstash will not create a message.raw field by default now. Message field is not_analyzed by Elasticsearch and adding a multi-field was essentially doubling the disk space required, with no benefit
The issue goes into enabling it again by modifying the default mapping though.
And this issue shows the method
How would I go about disabling the .raw field for other large fields?