Question:
Given the following query on CloudWatch that extracts logs with messages including “entry 1456” (where 1456 is an ID) how should I extend this to take multiple IDs and what is the corresponding CLI command?
|
1 2 3 4 |
fields @message | filter @message like "entry 1456" | limit 10 |
To clarify I’d like to filter with multiple IDs, for instance “like 1456|1257|879”. But not sure of the format of regex in such case.
And I assume the corresponding CLI command will be sth like:
|
1 2 3 4 5 |
aws logs filter-log-events --log-group-name group_name --app --filter-pattern ........ |
Just want to make sure of the best way to formulate this.
Answer:
The syntax would be:
|
1 2 3 4 |
fields @message | filter @message like /entry [1456|1257]/ | limit 10 |
You could also parse the logline first and extract the value, like this:
|
1 2 3 4 5 |
fields @message | parse @message /.*entry (? | filter id in [1257, 1456] | limit 10 |
Now for the CLI, you would not use the filter-log-events, but the start-query and get-query-results.