Skip to content

Field Modifiers

Several basic modifiers below allow you to change the content of the field value for output.

Length Limit

Add a number as a modifier to limit a formatted field's maximum length (in bytes).

Warning

The length is in bytes (not symbols). It is important for non-ASCII encodings.

Example

If {MESSAGE} equals Abcdef, {MESSAGE|3} produces Abc

Use Cases

In addition to the obvious meeting requirement for maximum field length for data export, the length modifier is used to improve the filter performance. For example, if you are searching for a keyword in the message text and know it is somewhere at the beginning, adding a length limit will significantly increase the filter performance.

Example

Not optimized filter expression: {MESSAGE} CONTAINS "keyword"
Better performance: {MESSAGE|50} CONTAINS "keyword"

UPPER / lower

Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER and lower.

Example

If {MESSAGE} equals Abc, {MESSAGE|UPPER} produces ABC
If {MESSAGE} equals Abc, {MESSAGE|lower} produces abc

Use Cases

The most common use of this modifier is to perform case-insensitive comparisons when filtering.

Example

Filter {MESSAGE|lower} CONTAINS "login" matches login, Login, LOGIN etc
Optimized version of the filter if the keyword in the beginning: {MESSAGE|50|lower} CONTAINS "login"

Blank Field Filler (Default Value)

If an empty field should be replaced by some text, use a modifier that starts with the ? symbol.

Example

If {MESSAGE} equals Abc, {MESSAGE|?Blank} produces Abc
For blank {MESSAGE}, {MESSAGE|?Blank} produces Blank

Use Cases

For example, the modern version of the syslog protocol standard requires that missing fields in a syslog message be replaced with dashes.

Regular Expression

For most complex cases, a field value can be transformed by regular expression. The syntax for this modifier is a regular expression between r/ and /.

Example

If {FIELD} equals AB-123-CD, {FIELD|r/-([0-9]+)-/} produces 123