Suppose I have a simple Insights query like so
fields @timestamp, @message
Is there a way to truncate the @message field. For example, say I only want to skip the 1st 50 characters.
I know I can use the parse function but is there a simpler way, an substring equivalent that I can use in the fields line perhaps
There is a substr function:
Returns a substring from the index specified by the number argument to the end of the string. If the function has a second number argument, it contains the length of the substring to be retrieved. For example, substr("xyZfooxyZ",3, 3) returns "foo".
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
One approach is to use the substr function in your CloudWatch Logs Insights query. This function allows you to extract a substring from a field value.
Here's an example query that demonstrates how to truncate the @message field to a maximum of 50 characters:
fields @timestamp, substr(@message, 0, 50) as message
| filter @message like "XXXXXX"
| sort @timestamp asc
In this query, the substr function is applied to the @message field. It takes three arguments: the field to truncate, the starting index (0 in this case, indicating the beginning of the field), and the maximum length of the substring (50 characters in this example). The truncated field is then aliased as message.
However, it's important to note that the truncation only affects the collapsed version of the log. When you expand the log entry, you will see the full untruncated version of the @message field. The truncation is applied for display purposes in the query result, making it easier to analyze and view logs within the limited space available.
