What is the difference between display
and fields
directives in CloudWatch Logs Insights query syntax?
These are descriptions from the AWS documentation that look very similar to me :
display:
Specifies which fields to display in the query results.
fields:
Retrieves the specified fields from log events for display.
As an example, I have logs stored in Cloudwatch in this structure (with these fields):
@timestamp
@message
stream
(stdout
|stderr
)kubernetes.namespace_name
- ...
Here are examples of valid queries that confuse me:
- I can display any non-retrieved field:
limit 8
| display @message, stream
- I can display a field even if I haven't specified it in
fields
.
fields @message, stream
| limit 8
| display @message, stream, kubernetes.namespace_name
- It doesn't matter if I specify a field in
fields
when parsing:
fields @message
| parse @message "[*] *" as loggingType, loggingMessage
| display loggingMessage
parse @message "[*] *" as loggingType, loggingMessage
| display loggingMessage
What is the meaning of the fields
directive? Wouldn't it be enough to just use display
?