CloudWatch: Count number of occurrences of a specific string in logfiles

Question

I have logfiles which contain specific spring patterns. These string patterns occur frequently per log event. For example:

<abc>108</abc>xyz<abc>22222</abc>

I want to count the occurence of <abc> for a specific period of time in CloudWatch.

I did this to count the occurences per minute:

fields @timestamp
| parse @message "<abc>" as abc
| filter strcontains(@message, "<abc>")
| stats count(abc) by bin(1m)

But it just counts one for a log event that contains <abc> at least once. In the example above I would expect two.

How can I achieve this?

score 4 · Accepted Answer · answered Aug 05 '22 at 19:55

4

I don't see a single function that will give you what you need, but you can do something like this:

fields @timestamp, @message
| filter strcontains(@message, "<abc>")
| fields (strlen(@message)-strlen(replace(@message, "<abc>", ""))) / strlen("<abc>")

answered Aug 05 '22 at 19:55

Dejan Peretin

10,891
1
45
54

CloudWatch: Count number of occurrences of a specific string in logfiles

1 Answers1

Linked