Remove Leading Whitespace From Log Messages

Clean up log messages using the text:trim() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result
logscale
text:trim(message, mode=start, as="cleaned_message")

Introduction

The text:trim() function can be used to remove whitespace from strings. When using the mode parameter with value start, it removes only leading whitespace characters. The as parameter specifies the name of the field where the trimmed result is stored.

In this example, the text:trim() function is used to clean up log messages that contain unnecessary leading whitespace characters, making the data more consistent and easier to read.

Example incoming data might look like this:

csv
"@timestamp","level","message"
"2025-11-05T10:00:00Z","INFO","     Starting application server"
"2025-11-05T10:00:01Z","INFO","     Database connection established"
"2025-11-05T10:00:02Z","WARN","     Invalid user credentials"
"2025-11-05T10:00:03Z","ERROR","    Authentication service unavailable"
"2025-11-05T10:00:04Z","INFO","     User session created"

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    text:trim(message, mode=start, as="cleaned_message")

    Creates a field named cleaned_message that contains the message text with leading whitespace removed. The text:trim() function with mode=start only removes whitespace characters from the beginning of the string, preserving any trailing spaces if they exist. The as parameter specifies the output field name.

  3. Event Result set.

Summary and Results

The query is used to standardize log messages by removing unnecessary leading whitespace that might have been introduced during logging.

This query is useful, for example, to improve log message readability and consistency, especially when dealing with logs from multiple sources that might format their messages differently.

Sample output from the incoming example data:

csv
"cleaned_message","level","message"
"Starting application server","INFO","     Starting application server"
"Database connection established","INFO","     Database connection established"
"Invalid user credentials","WARN","     Invalid user credentials"
"Authentication service unavailable","ERROR","     Authentication service unavailable"
"User session created","INFO","     User session created"

Note that internal spaces between words are preserved, only the leading whitespace is removed.