CloudWatch Logs Insights – Difference Between Display and Fields Directives

amazon-cloudwatchamazon-web-services

What is the difference between display and fields directives in CloudWatch Logs Insights query syntax?

These are descriptions from the AWS documentation that look very similar to me :

display: Specifies which fields to display in the query results.

fields: Retrieves the specified fields from log events for display.

As an example, I have logs stored in Cloudwatch in this structure (with these fields):

@timestamp
@message
stream (stdout|stderr)
kubernetes.namespace_name
…

Here are examples of valid queries that confuse me:

I can display any non-retrieved field:

limit 8
| display @message, stream

I can display a field even if I haven't specified it in fields.

fields @message, stream
| limit 8
| display @message, stream, kubernetes.namespace_name

It doesn't matter if I specify a field in fields when parsing:

fields @message
| parse @message "[*] *" as loggingType, loggingMessage
| display loggingMessage

parse @message "[*] *" as loggingType, loggingMessage
| display loggingMessage

What is the meaning of the fields directive? Wouldn't it be enough to just use display?

Best Answer

The difference in fields and display commands is that fields behavior is cumulative and display is not (replace-like behavior).

From the CloudWatch Logs Insights query syntax guideline:

If your query contains multiple fields commands and doesn't include a display command, you'll display all of the fields that are specified in the fields commands.

So a display command would replace the output defined by any preceding display or fields commands (or any other command that defines ephemeral fields), and the fields would add to the currently defined output.

Examples:

Returns @timestamp, @message, @logStream, @log fields

fields @timestamp, @message, @logStream, @log
| sort @timestamp desc
| limit 20

Returns @message

fields @timestamp, @message, @logStream, @log
| sort @timestamp desc
| limit 20
| display @message

Returns @message, requestId, text, hasRequestId

fields @timestamp, @message, @logStream, @log
| sort @timestamp desc
| limit 20
| display @message
| parse @message "(*) *" as requestId, text
| fields !isblank("requestId") as hasRequestId

The last example defines ephemeral fields using parse command (these do not have @ in the beginning) and expression field defined by last fields command

Related Solutions

AWS Cloudwatch monitoring – what is the difference between Average, Sum, and Maximum

Cloudwath keeps the data in 5 minutes or 1 minute intervals (depending whether you choose detailed monitoring or not). You asked for a 3 days representation in 1 hour intervals and this means that for every hour it will compute the data this way (depending how you choose):

Average: it calculates the average of data for every hour (based on your [1 or 5] minutes data)

# for 5 minutes intervals data
# the denominator value of 12 comes from the fact that there are 12 5-minute intervals in an hour
( 2 + 3 + 5 + ... ) / 12

Sum: sums up all numbers received in that hour

( 2 + 3 + 5 + ... )

Max: it chooses the maximum number received in that hour.

max(2, 3, 5, ...)

Docker – Best way to log to two different CloudWatch log streams from an ECS container

About the audit log, would you like to share what do you want to audit? In general, for this kind of purpose you may want to use CloudTrail or GuardDuty.

Best Answer

Related Solutions

AWS Cloudwatch monitoring – what is the difference between Average, Sum, and Maximum

Docker – Best way to log to two different CloudWatch log streams from an ECS container

Related Topic