Storing logs: 'message' field doubles index size?

John16 · January 30, 2017, 6:46pm

Hello,

I am using filebeat + logstash to store logs in ES.
When I browse my index data, I see structured fields my log lines are parsed into (date, http return code, request line, etc) as well as 'message' field which represents the whole log line itself.

So as far as I understand, every log line is stored twice: first time in structured format, and second time as a whole in 'message' field.

Why? Is it possible to get rid of this duplication and to trim that 'message' in order to save some disk space?

Thanks.

Christian_Dahlqvist · January 30, 2017, 7:21pm

You can add a mutate filter and remove the message field in Logstash. If you would like to keep it, but do not need to be able to search it, you can alter the index template and set the message field to be not indexed, which probably will save a fair amount of space.

system · February 27, 2017, 7:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch message field limit? Elasticsearch	1	1022	March 19, 2018
Fields in messages Logstash	4	1522	February 23, 2018
Multi Fields Diadvantage Elasticsearch	7	441	June 13, 2020
Added new field to index, how to enable it for all previous data? Logstash	1	321	February 7, 2020
Same message being sent twice Logstash	5	744	August 24, 2018

Storing logs: 'message' field doubles index size?

Related topics