Hi,
I would like to know how to delete automaticaly fild after many day.
For exemple I would like to delete the field “full_message” after 1 month.
I beleive that I must to create à new index but I don’t know how to do. I’m a beginner to Graylog 
Thx
While you can delete messages (or rather complete indices) after a certain amount of time via index rotation and retention, it’s not possible to remove a single message field after some time.
One possible solution could be to store messages twice: One time in an index set with relatively short lifetime (e. g. 1 month) and the complete message (including the “full_message” field), and a second time into an index set with longer lifetime but only with a subset of the information.
You could implement this using the processing pipelines.
Also see clone_message() and remove_field().
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
