Matching array entries in AWS Cloudwatch log metrics filter

Question

I have JSON strings upload to AWS Cloudwatch logs and am now trying to write a filter that generates metrics from those logs.

Suppose I have JSON like the following:

{"test_results": [{"result": "success", "name": "foo", "nr_failed": 0}, {"result": "failure", "name": "bar", "nr_failed": 3}]}

The AWS Cloudwatch log metrics filter allows me to specify a pattern like the following:

{ $.test_results[0].result = "failure" }

The above means, "match the entire line if the zeroth entry in the value of 'test_results' has a value of 'failure' for its 'result' field". In this particular case, the zeroth entry had a result of 'success', so it wouldn't match. But this next line would match:

{ $.test_results[1].result = "failure" }

Now suppose I want to match the whole line if any of the entries had a value of 'failure'. Basically, I want to do this:

{ $.test_results[*].result = "failure" }

But the pattern syntax doesn't seem to allow wildcards in the array index. How can I match lines where any of the result values are "failure" ?

Alternatively, how could I pick out the numeric values for all the "nr_failed" fields in the "test_results" array and create metrics from those?

Have you found any solution to this? – Tomas Oct 12 '17 at 09:41 — Tomas, Oct 12 '17 at 09:41
Is there any known solution to this issue? – Gaim Sep 25 '19 at 11:39 — Gaim, Sep 25 '19 at 11:39

score 0 · Answer 1 · answered Jul 31 '23 at 20:27

Indeed, according to the official AWS docs there's no syntax to address your issue explicitly:

The elements in arrays follow a zero-based numbering system, meaning that the first element in the array is element 0, the second element is element 1, and so on. Enclose elements in brackets ("[]").

However there's a little hack that might be helpful for somebody who also looks for the solution. You might build query with OR (||) operator to check every item in the list:

{$.test_results[0].result = failure || $.test_results[1].result = failure}

Moreover, it does work even if actual list length is less than number of conditional arguments. So, we have to set the upper limit for the length of test_results and generate query for that.

Let's say the length of test_results would be less than 10 elements then let's generate the query with Bash:

#!/bin/bash
echo -n "{"; for i in {0..10}; do echo -n "$.test_results[$i].result = failure"; test "$i" -ne "10" && echo -n " || "; done; echo "}"

But let you know: the length of query should be less or equal to 1024 chars to work.

score -2 · Answer 2 · answered Aug 19 '22 at 12:47

-2

I found just using "failure" as a metric filter worked, it isn't particularly elegant but it might work for you.

answered Aug 19 '22 at 12:47

Baza86

1,458
1
7
10

This just looks for the `failure` string anywhere – Paolo Aug 19 '22 at 12:50
It does yes, but based on the information presented it might suffice. – Baza86 Aug 19 '22 at 13:05
You misunderstood the question. Op is looking for the `failure` value in any of the result entries – Paolo Aug 19 '22 at 13:07

Matching array entries in AWS Cloudwatch log metrics filter

2 Answers2