Skip to main content
Large data blobs embedded in logs. Full HTTP response bodies, entire database records, massive stack traces. Fields that add kilobytes to every log event. One log event with a 10KB response body, fired 100,000 times a day, is 1GB of storage for a single log pattern.

Example

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "order-service",
  "event": "order.created",
  "order_id": "ORD-12345",
  "http.response.body": "{\"id\":\"ORD-12345\",\"items\":[{\"sku\":\"SKU-001\",\"name\":\"Widget Pro\",\"quantity\":2,\"price\":29.99},{\"sku\":\"SKU-002\",\"name\":\"Gadget Plus\",\"quantity\":1,\"price\":49.99}],\"shipping\":{\"method\":\"express\",\"address\":{\"street\":\"123 Main St\",\"city\":\"Seattle\",\"state\":\"WA\",\"zip\":\"98101\",\"country\":\"US\"}},\"billing\":{\"method\":\"card\",\"last4\":\"4242\"},\"totals\":{\"subtotal\":109.97,\"shipping\":12.99,\"tax\":10.45,\"total\":133.41}}"
}

id: remove-response-body-order-service
name: Remove response body from order-service
description: Drop full HTTP response body. The order_id is sufficient for lookup.
log:
  match:
    - resource_attribute: service.name
      exact: order-service
    - log_attribute: event
      exact: order.created
  transform:
    remove:
      - log_attribute: http.response.body

Open PRs

Fix at the source. The developer who added this logging should decide what to keep.
Unlike infrastructure noise, excessive payloads are usually intentional logging decisions. The right fix is often to log less in the first place. The developer knows whether that response body is actually useful.

How it works

Tero flags fields that are obviously too large. Full HTTP response bodies, entire serialized objects, 500-line stack traces. These aren’t borderline cases - they’re kilobytes of data embedded in every log. Obviously wrong.