Short Version
This query isn't matching on type, sub_type, or missing_fields. I can get this query to work just fine without using the insights regex syntax but I'm wondering how I'm messing up the parse regex syntax
Long Version
I have a log line in Cloudwatch insights query that looks like
Extra keys detected in record for schema type "type" and sub_type "sub_type". Error: extra keys not allowed @ data['a_key'],extra keys not allowed @ data['another_key'],
And I'm attempting to process it with
filter @message like /Extra keys detected/
| parse @message /Extra keys detected in record for schema type \"\[(?<type>\S+)\"\] and sub_type \"\[(?<sub_type>\S+)\"\]. Error: (extra keys not allowed @ data\[(?<missing_fields>.*)\])*,/
This can have an arbitrary number of keys that are missing.
This query isn't capturing type and sub_type which is honestly all I really need to solve this. The grouping of the field names is a very nice bonus because it means I don't need to do any second pass processing.
