For inputs that use the multiline codec, a field is created called “offset” and it is stored in elasticsearch. What is this field represent or is used for? I am guessing it is the location of the first character in the log entry (or the last) in the log file that was parsed.
Finally, is it safe to remove this from log entries for elasticsearch, or should it remain (for example, to link one document with another?) It doesn’t seem like elasticsearch metadata, but since it is an auto-created field by the multiline codec, I was unsure if I could safely delete it without the multiline codec ceasing to function correctly.