amazon-web-servicesaws-cliamazon-cloudwatchamazon-cloudwatchlogs

How can I exclude the @ptr field from my CloudWatch Logs Insights query?


I have this AWS CloudWatch query, that I've created via the AWS CLI with aws logs start-query:

display @timestamp, @message
| sort @timestamp asc
| filter @message not like "GET / HTTP/1.1"'

When using aws logs get-query-results, this query returns @timestamp & @message as needed but also an extra @ptr field.

How can I change my query to not return the @ptr field?


Solution

  • How can I change my query to not return the @ptr field?

    You can't filter out the @ptr field server-side as it's returned by GetQueryResults at the API level as the log record identifier & there's no option to exclude it from the results.


    Client-side however, some jq magic can remove the ptr field from the AWS CLI output.

    Try:

    aws logs get-query-results \
    --query-id 'xxx' \
    | jq 'del(.results[][] | select(.field == "@ptr"))'
    

    This filter tells jq to delete all objects in each array within results, where field is equal to @ptr.


    Output before filtering:

    {
      "results": [
        [
          {
            "field": "@timestamp",
            "value": "2023-09-25 22:41:44.378"
          },
          {
            "field": "@message",
            "value": "END RequestId: 69cdac96-c8d1-4935-94e4-6ce45acc4935\n"
          },
          {
            "field": "@ptr",
            "value": "Cl0KIAocNTg1NDcwMzQ2NjkyOi9hd3MvbGFtYmRhL2FhYRADEjUaGAIGUHTBkwAAAAAkeektAAZRIMOgAAACMiABKIDihfSsMTC644X0rDE4BUDRBUjiD1DpCBgAIAEQAxgB"
          }
        ]
      ],
      ...
    }
    

    Output after filtering via jq:

    {
      "results": [
        [
          {
            "field": "@timestamp",
            "value": "2023-09-25 22:41:44.378"
          },
          {
            "field": "@message",
            "value": "END RequestId: 69cdac96-c8d1-4935-94e4-6ce45acc4935\n"
          }
        ]
      ],
      ...
    }