Drop Multiple Fields from Events

Remove multiple fields from all events using an array and the drop() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Drop Field\] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#2ac76d; click 1 #examples-drop-multiple-fields-1
logscale
drop([header,value])

Introduction

The drop() function can be used to remove multiple unwanted fields from events simultaneously, helping to clean up data and reduce storage requirements efficiently.

In this example, the drop() function is used to remove both the header and value fields from all events in the dataset using an array syntax.

Example incoming data might look like this:

@timestampheadermessagestatusvalueuser_id
2025-09-15T10:00:00ZHTTP/1.1User login successful200temp_datauser123
2025-09-15T10:00:01ZHTTP/1.1File uploaded201cache_infouser456
2025-09-15T10:00:02ZHTTP/2.0Authentication failed401debug_valuser789
2025-09-15T10:00:03ZHTTP/1.1Data retrieved200session_iduser123
2025-09-15T10:00:04ZHTTP/2.0Connection timeout408retry_countuser456

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Drop Field\] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#2ac76d; click 1 #examples-drop-multiple-fields-1 style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    drop([header,value])

    Removes both the header and value fields from all events using array syntax. The drop() function accepts an array of field names enclosed in square brackets, allowing multiple fields to be eliminated simultaneously in a single operation.

  3. Event Result set.

Summary and Results

The query is used to remove multiple fields (header and value) from all events in the dataset in a single operation.

This query is useful, for example, to clean up log data by removing multiple redundant fields at once, eliminate several sensitive or temporary fields before data export, or reduce data volume efficiently by dropping multiple unnecessary metadata fields simultaneously.

Sample output from the incoming example data:

@timestampmessagestatususer_id
2025-09-15T10:00:00ZUser login successful200user123
2025-09-15T10:00:01ZFile uploaded201user456
2025-09-15T10:00:02ZAuthentication failed401user789
2025-09-15T10:00:03ZData retrieved200user123
2025-09-15T10:00:04ZConnection timeout408user456

Note that once fields are dropped, they cannot be recovered in subsequent operations within the same query. Both the header and value fields are completely removed from all events. Using array syntax is more efficient than multiple separate drop() operations.