I’ve been ingesting log files from a firewall for a few months now. The monthly reindex size would be a couple of gigabytes on average.
Since I’ve introduced filter patterns which create separate fields my daily indexes have increased in size dramatically, a gigabyte or more on average.
I assume introducing new fields will increase the size of the index but this seems an unusually high number.
To troubleshoot the issue I’ve removed the filters and pattern file, deleted the indexes and template and I’m back to ingesting only the message field, however daily indexes are still quite large.
Is this just a coincidence and traffic on my firewall is just much higher than before or are there still remnants of the fields somewhere.
Thank you for your help