How do I determine the size of a field I add during Pipeline processing? I know there is the ES plugin that creates a new _size field that shows entire message size, but I don’t need to know how big my messages are indefinitely nor do I want to use up more Licensing volume with a meta field. I just need to calculate once during development how many bytes my new field and value use.
Here’s my Pipeline Rule:
// List of conditionals:
// Create new field, set value to Boolean True/False:
Note that the value for the new “test” field is a Boolean not a String. So a value of True would be the same size as a value of False. If these were Strings, “False” would be 1 byte larger than “True” since it has 1 more ASCII character.
So would my new
"test"=true field/value pair amount to 8 bytes (includes quotes and equal sign), or would it take up 11 bytes (translating Boolean True to String “True”)?
My first thought would be 8 bytes because True is Boolean. However when that log is archived, what happens to the ‘True’ value? I don’t see how it can be retained as a Boolean since it is exported to a G-zipped tarball and takes up 4 spaces when printed to the Linux terminal.
So in regards to Graylog Licensing volume, how many bytes would