Drop Single Field from Events

Remove the header field from all events using the drop() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Drop Field\] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#2ac76d; click 1 #examples-drop-single-header-field-1
logscale
drop(header)

Introduction

The drop() function can be used to remove unwanted fields from events, helping to clean up data and reduce storage requirements.

In this example, the drop() function is used to remove the header field from all events in the dataset.

Example incoming data might look like this:

@timestampheadermessagestatususer_id
2025-09-15T10:00:00ZHTTP/1.1User login successful200user123
2025-09-15T10:00:01ZHTTP/1.1File uploaded201user456
2025-09-15T10:00:02ZHTTP/2.0Authentication failed401user789
2025-09-15T10:00:03ZHTTP/1.1Data retrieved200user123
2025-09-15T10:00:04ZHTTP/2.0Connection timeout408user456

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Drop Field\] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#2ac76d; click 1 #examples-drop-single-header-field-1 style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    drop(header)

    Removes the header field from all events. The drop() function permanently eliminates the specified field from the event data, reducing the amount of data stored and processed in subsequent operations.

  3. Event Result set.

Summary and Results

The query is used to remove the header field from all events in the dataset.

This query is useful, for example, to clean up log data by removing redundant protocol information, eliminate sensitive fields before sharing data, or reduce data volume by dropping unnecessary metadata fields.

Sample output from the incoming example data:

@timestampmessagestatususer_id
2025-09-15T10:00:00ZUser login successful200user123
2025-09-15T10:00:01ZFile uploaded201user456
2025-09-15T10:00:02ZAuthentication failed401user789
2025-09-15T10:00:03ZData retrieved200user123
2025-09-15T10:00:04ZConnection timeout408user456

Note that once a field is dropped, it cannot be recovered in subsequent operations within the same query. The header field is completely removed from all events.