Is there a way to truncate a field value in CloudWatch?

Question

Suppose I have a simple Insights query like so

fields @timestamp, @message

Is there a way to truncate the @message field. For example, say I only want to skip the 1st 50 characters.

I know I can use the parse function but is there a simpler way, an substring equivalent that I can use in the fields line perhaps

Answer 1

One approach is to use the substr function in your CloudWatch Logs Insights query. This function allows you to extract a substring from a field value.

Here's an example query that demonstrates how to truncate the @message field to a maximum of 50 characters:

fields @timestamp, substr(@message, 0, 50) as message
| filter @message like "XXXXXX"
| sort @timestamp asc

In this query, the substr function is applied to the @message field. It takes three arguments: the field to truncate, the starting index (0 in this case, indicating the beginning of the field), and the maximum length of the substring (50 characters in this example). The truncated field is then aliased as message.

However, it's important to note that the truncation only affects the collapsed version of the log. When you expand the log entry, you will see the full untruncated version of the @message field. The truncation is applied for display purposes in the query result, making it easier to analyze and view logs within the limited space available.

Answer 2

There is a substr function:

Returns a substring from the index specified by the number argument to the end of the string. If the function has a second number argument, it contains the length of the substring to be retrieved. For example, substr("xyZfooxyZ",3, 3) returns "foo".

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html