Rename event.raw to log.message

The `event` prefix should only contain meta information about the event itself. `event.raw` contained actual event data and it was not the place I was searching for the field. All events which make use of a raw message are log events. I don't expect metric events to require the field. Because of this putting it under `log` seemed natural to me. The field `log.message` is a keyword to make sure it only matches exact searches and is not confused with the `message` field. It can be use to reprocessing of log events or to show log integrity. revert change on event.raw update changelog do not store source and doc_values update description add diff cleanup
elastic · Jun 11, 2018 · ec5f621 · ec5f621
1 parent b87c730
commit ec5f621
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,5 +13,6 @@ All notable changes to this project will be documented in this file based on the
 * Adds cloud.account.id for top level organizational level. #11
 * Add `http.response.status_code` and `http.response.body` fields. #4
 * Add fields for Operating System data. #5
+* Add `log.message`. #3
 
 ### Deprecated
diff --git a/README.md b/README.md
@@ -276,6 +276,7 @@ Fields which are specific to log events.
 | <a name="log.level"></a>`log.level`  | Log level of the log event.<br/>Some examples are `WARN`, `ERR`, `INFO`.  | keyword  |   | `ERR`  |
 | <a name="log.line"></a>`log.line`  | Line number the log event was collected from.  | long  |   | `18`  |
 | <a name="log.offset"></a>`log.offset`  | Offset of the beginning of the log event.  | long  |   | `12`  |
+| <a name="log.message"></a>`log.message`  | This is the log message and contains the full log message before splitting it up in multiple parts.<br/>In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.<br/>This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`.  | keyword  |   | `Sep 19 08:26:10 localhost My log`  |
 
 
 ## <a name="network"></a> Network fields

diff --git a/schema.csv b/schema.csv
@@ -88,6 +88,7 @@ kubernetes.namespace,keyword,0,
 kubernetes.pod.name,keyword,0,
 log.level,keyword,0,ERR
 log.line,long,0,18
+log.message,keyword,1,Sep 19 08:26:10 localhost My log
 log.offset,long,0,12
 network.direction,keyword,0,inbound
 network.forwarded_ip,ip,0,192.1.1.2

diff --git a/schemas/log.yml b/schemas/log.yml
@@ -21,3 +21,20 @@
       description: >
         Offset of the beginning of the log event.
       example: 12
+    - name: message
+      type: keyword
+      phase: 1
+      example: "Sep 19 08:26:10 localhost My log"
+      index: false
+      doc_values: false
+      description: >
+        This is the log message and contains the full log message before
+        splitting it up in multiple parts.
+
+        In contrast to the `message` field which can contain an extracted part
+        of the log message, this field contains the original, full log message.
+        It can have already some modifications applied like encoding or new
+        lines removed to clean up the log message.
+
+        This field is not indexed and doc_values are disabled so it can't be
+        queried but the value can be retrieved from `_source`.
diff --git a/template.json b/template.json
@@ -459,6 +459,12 @@
             "line": {
               "type": "long"
             },
+            "message": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
             "offset": {
               "type": "long"
             }