In graylog: What are the differences between message and full_message field?

Question

I assume that one of these fields is the log message as it enters graylog (message) and the other how graylog saves it after adding its own metadata.

Is this correct? Is there more to it?

The Title question is a copy of Kevin Wittek's comment here: Searching in Graylog2 full_message

Which i found while trying to research this issue.

Answer 1

You are correct that one of them is intended to be the entire message as it was received by Graylog before any parsing. That is the full_message field. Many inputs have a Store full message configuration option that will enable storing it. full_message is an optional field on each message.

The message field is one of the three required fields that every message must have within Graylog (the two others being source and timestamp). It is the one that is displayed on the message table in the search page, see the blue text in the example below.

Since it is the field displayed there, it is often parsed into a more human readable format of the log message to get the point across a bit more succinctly than the full message. However, if there is no special parsing done by the input itself or any pipelines then the message field will end up being the full message as it was received by Graylog.

Hope that clears up the difference between the two somewhat related fields!