Field Modifiers

The following modifiers allow you to transform field values for output.

Length Limit

Add a number as a modifier to limit a formatted field’s maximum length (in bytes).

The length is in bytes (not symbols). It is important for non-ASCII encodings.

If {MESSAGE} equals Abcdef, {MESSAGE|3} produces Abc.

Use Cases

In addition to meeting the obvious requirement for maximum field length in data exports, the length modifier also improves filter performance. For example, if you are searching for a keyword in the message text and know it is somewhere at the beginning, adding a length limit will significantly increase the filter performance.

Not optimized filter expression: {MESSAGE} CONTAINS "keyword"
Better performance: {MESSAGE|50} CONTAINS "keyword"

UPPER / lower

Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER and lower.

If {MESSAGE} equals Abc, {MESSAGE|UPPER} produces ABC
If {MESSAGE} equals Abc, {MESSAGE|lower} produces abc

Use Cases

The most common use of this modifier is to perform case-insensitive comparisons when filtering.

Filter {MESSAGE|lower} CONTAINS "login" matches login, Login, LOGIN etc.
Optimized version of the filter if the keyword is at the beginning: {MESSAGE|50|lower} CONTAINS "login"

Blank Field Filler (Default Value)

If an empty field should be replaced by some text, use a modifier that starts with the ? symbol.

If {MESSAGE} equals Abc, {MESSAGE|?Blank} produces Abc
For blank {MESSAGE}, {MESSAGE|?Blank} produces Blank

Use Cases

For example, the modern version of the syslog protocol standard requires that missing fields in a syslog message be replaced with dashes.

Regular Expression

For most complex cases, a field value can be transformed by regular expression. The syntax for this modifier is a regular expression between r/ and /.

If {FIELD} equals AB-123-CD, {FIELD|r/-([0-9])-/}+ produces 123