8

For logs sent to AWS cloudwatch-logs, I want to create metric filter separating a numeric field from the log matching pattern. So as per documentation there is [w1=word_pattern1||word_pattern2, w2, ...] like expression to get fields (based on space separator/delimiter). But my logs have some other separators say like : or ,. So is there any way of parsing such fields using some regex pattern.

sample log pattern: date-time:action:filename:status

e.g.

2018-11-02 12:23:00:delete-file:filename-20180709:done

or like 

2018-11-02 12:23:00, deleting-file filename-20180709 done

I can parse the log line for file code with grok regex like:

(?<date>[\w-]+ [\w:]+), (?<action>\w+-\w+) filename-(?<file-code>\d{8}) \w+

but I'm not able to find any equivalent for the metric filter. Is it possible?

v_sukt
  • 1,384
  • 1
  • 10
  • 21

2 Answers2

15

I used to work in the team that built CloudWatch Logs. At the time of writing, regular expressions are not supported in metric filters.

Daniel Vassallo
  • 337,827
  • 72
  • 505
  • 443
2

I'm trying to do something similar. Instead of using metric filters you might be able to parse the required field using Cloudwatch Logs Insights and filter upon the results. There you can use glob or regex according to this:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-examples.html

Mike
  • 91
  • 6