Remove Fields

The Remove Fields rule strips selected fields from a log before it is indexed. Removed fields are permanently excluded from the index and will not be searchable or visible.

When to Use

• Logs contain large payload fields (e.g., raw_body, request_payload) that inflate storage without adding query value.
• High-cardinality fields (unique IDs in every log) are degrading index performance.
• Sensitive fields that slipped past application-level controls need to be dropped.
• You want to reduce per-log storage cost by removing redundant or verbose metadata.

Fields

How It Works

Before the log is indexed, the specified fields are stripped from the log object. All other fields pass through unchanged. The removed fields will not be available in log search, filters, or dashboards.

Examples

Remove Verbose Request Data

Fields to Exclude: raw_body, request_headers

Strips large request payloads and header dumps from API gateway logs, keeping only the essential metadata.

Remove Debug-Only Fields

Fields to Exclude: stack_trace, debug_context

In production, these fields add significant volume but are rarely queried. Remove them to reduce storage while keeping them available in staging/dev pipelines.

Remove Redundant Kubernetes Metadata

Fields to Exclude: kubernetes.pod_id, kubernetes.container_hash

Pod IDs and container hashes change on every restart and are rarely useful for querying. Remove them to reduce index cardinality.

Tips

• Review your highest-volume log sources to identify fields that are large but rarely queried — those are the best candidates for removal.
• Combine Remove Fields with a specific Rule Matcher so you only strip fields from workloads where they are truly unnecessary.
• Removed fields are gone permanently from the index. If you might need a field later, consider using the Rule Matcher to scope removal to specific namespaces rather than applying globally.