Collecting windows logs via winlogbeats, removing the message field via logstash before the output phase, so far my daily beats shards are 80% smaller.
With all of the fields parsed and indexed correctly are there any reasons to keep the message field?
Thanks
Phil
one reason I can think of is to enable auditing, in case something goes wrong with the parsing in the future
Thanks, i will take that into account, the logs in question would be windows logs from winlogbeat using ECS. Other logs i currently remove the message if there are no grok failures.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.