4
Current query :
fields  @message
| filter @message like /ABCD/
| stats count(@message)

result: @messages 1 55 now need to add more like a filter in this query like/BCDE/,/EFGH/,/IJKL/..... the expected result should be like @ABCD @BCDE @EFGH @IJKL... 55 66 77 88.

Can get like this? all the search keywords must be searched in the entire CloudWatch log.

Ru Chern Chong
  • 3,692
  • 13
  • 33
  • 43
Kiran Kumar
  • 51
  • 1
  • 2
  • 8

1 Answers1

7

This should work for you:

fields  @message
| filter @message like /ABCD|BCDE|EFGH|IJKL/ 
| fields strcontains(@message, "ABCD") as @CONTAINS_ABCD,
         strcontains(@message, "BCDE") as @CONTAINS_BCDE,
         strcontains(@message, "EFGH") as @CONTAINS_EFGH,
         strcontains(@message, "IJKL") as @CONTAINS_IJKL
| stats sum(@CONTAINS_ABCD) as @ABCD, 
        sum(@CONTAINS_BCDE) as @BCDE, 
        sum(@CONTAINS_EFGH) as @EFGH, 
        sum(@CONTAINS_IJKL) as @IJKL
Dejan Peretin
  • 10,891
  • 1
  • 45
  • 54