Removes ANSI color codes and movement commands.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale SyntaxstripAnsiCodes("value")and:
logscale SyntaxstripAnsiCodes(field="value")These examples show basic structure only.
stripAnsiCodes() Syntax Examples
Remove the ANSI escape codes from the message field.
message := "\x1b[93;41mColor"
| stripAnsiCodes(message)
| @display := messageRemove all ANSI escape codes from @rawstring
stripAnsiCodes()stripAnsiCodes() Examples
Click next to an example below to get the full details.
Remove ANSI Escape Codes From Text
Clean text containing ANSI color codes using the
stripAnsiCodes() function
Query
message := "\x1b[93;41mColor"
stripAnsiCodes(message)
@display := messageIntroduction
In this example, the stripAnsiCodes() function is
used to clean a text field containing ANSI color codes and assign the
result to a display field.
Example incoming data might look like this:
| @timestamp | message |
|---|---|
| 2025-08-06T10:15:30.000Z | \x1b[93;41mColor |
Step-by-Step
Starting with the source repository events.
- logscale
message := "\x1b[93;41mColor"Creates a variable message containing text with ANSI escape codes. The sequence
\x1b[93;41msets bright yellow text (93) on a red background (41). - logscale
stripAnsiCodes(message)Removes all ANSI escape sequences from the content of the message field, leaving only the plain text.
- logscale
@display := messageAssigns the cleaned text to the @display field for output.
Event Result set.
Summary and Results
The query is used to clean text by removing ANSI escape codes that control color and formatting in terminal output.
This query is useful, for example, to process log files that contain terminal output or to clean data for display in interfaces that don't support ANSI formatting.
Sample output from the incoming example data:
| @timestamp | @timestamp.nanos | @timezone | @display | message |
|---|---|---|---|---|
| 1754475330000 | 0 | Z | Color | \x1b[93;41mColor |
Remove ANSI Escape Codes from Default Field
Remove ANSI Escape Codes from Default Field using the
stripAnsiCodes() function without parameters
Query
stripAnsiCodes()Introduction
In this example, the stripAnsiCodes() function is
used to clean ANSI escape codes from the default field.
Example incoming data might look like this:
| @timestamp | @rawstring |
|---|---|
| 2025-08-06T10:15:30.000Z | \x1b[93;41mWarning: System overload\x1b[0m |
| 2025-08-06T10:15:31.000Z | \x1b[32mStatus: Normal\x1b[0m |
| 2025-08-06T10:15:32.000Z | \x1b[31mError: Connection failed\x1b[0m |
Step-by-Step
Starting with the source repository events.
- logscale
stripAnsiCodes()Removes all ANSI escape sequences from the default field. When no field is specified, the function processes the @rawstring field, removing color codes and other ANSI formatting sequences while preserving the plain text content.
Event Result set.
Summary and Results
The query is used to clean text by removing ANSI escape codes that control color and formatting in terminal output, operating on the default field.
This query is useful, for example, to process raw log data that contains terminal output with color coding, making the text suitable for analysis and display in any context.
Sample output from the incoming example data:
| @timestamp | @timestamp.nanos | @timezone | @rawstring |
|---|---|---|---|
| 1754475330000 | 0 | Z | Warning: System overload |
| 1754475331000 | 0 | Z | Status: Normal |
| 1754475332000 | 0 | Z | Error: Connection failed |