Hi Team,
By enabling the preserve original in my integration would actually consume large amount of disk space in my elastic server?
Thanks in advance
preserving the original would indeed add storage consumption. What this will do is store the original "raw" event in the event.original as text field.
In my experience it is not significant (doubling or something like that). But as text fields are "not optimized", you will notice that your disk utilization increases when dealing with bulk (all events).
Wheter or not to enable this depends on your usecase and requirements, if you are only interested in monitoring and searching it does not add value. It might (press f to doubt) add value during investigation but all information should be parsed into usable distinct fields any way.
The only real reason where i can see it is applicable is when for audit/compliance purpose you would need to store the orignal raw event.
2 Likes