24

I have a basic Logstash -> Elasticsearch setup, and it turns out the 'message' field is not required after the logstash filter done its job - storing this raw message field to elasticsearch is only adding unnecessary data to storage imo.

Can I safely delete this field and would it cause any trouble to ES? advices or readings are welcome, thanks all.

James Jiang
  • 2,073
  • 6
  • 19
  • 25

3 Answers3

37

No, it will not cause any trouble to ES. You can delete message field if it is redundant or unused.

You can add this filter to end of the filters.

mutate
{
     remove_field => [ "message" ]
}
Ban-Chuan Lim
  • 7,840
  • 4
  • 35
  • 52
  • 3
    ProTip: Most filters (such as grok) also allow the remove_field option, and will only remove the field if the filter does not encounter an error. That can be both safer and easier than using an additional mutate filter. – Brian Papantonio May 11 '17 at 05:58
11

You can also do this within the json filter.

filter {
  json {
    source => "message"
    remove_field => ["message"]
  }
}
Steve
  • 6,618
  • 3
  • 44
  • 42
0

I would have added the following as a comment to the answer by Ben Lim, but I do not know how to add a code block in a comment, or even whether that is possible...

If you can use a combination of input and codec that does not create a message field, then you do not need to remove it.

For example, the following combination of input and codec (JSON Lines over TCP) does not create a message field:

input {
  tcp {
    port => 5044
    codec => json_lines
  }
}
output {
  elasticsearch {
    hosts => ["localhost"]
    document_type => "mytype"
    index => "myindex"
  }
}
Graham Hannington
  • 1,749
  • 16
  • 18