Difference between display and fields directives in CloudWatch Logs Insights query syntax

Question

What is the difference between display and fields directives in CloudWatch Logs Insights query syntax?

These are descriptions from the AWS documentation that look very similar to me :

display: Specifies which fields to display in the query results.

fields: Retrieves the specified fields from log events for display.

As an example, I have logs stored in Cloudwatch in this structure (with these fields):

• @timestamp
• @message
• stream (stdout|stderr)
• kubernetes.namespace_name
• ...

Here are examples of valid queries that confuse me:

1. I can display any non-retrieved field:

limit 8
| display @message, stream

2. I can display a field even if I haven't specified it in fields.

fields @message, stream
| limit 8
| display @message, stream, kubernetes.namespace_name

3. It doesn't matter if I specify a field in fields when parsing:

fields @message
| parse @message "[*] *" as loggingType, loggingMessage
| display loggingMessage

parse @message "[*] *" as loggingType, loggingMessage
| display loggingMessage

What is the meaning of the fields directive? Wouldn't it be enough to just use display?

Answer 1

By my reading of the documentation, fields would be used during the query, and display only for presentation at the end. display is also only effective once (the last invocation is used).

What I mean is that in the example:

fields concat(Operation, '-', StatusCode) as opStatus

I don't think you could use display to do the same thing.

You might want to gather multiple fields to calculate a value (using fields), or filter some fields for speed, but only display the final result at the end.