How to use CloudWatch Insights Regex to don't return after first match, but return a collection

Question

I have many rows in my CloudWatch logs that are JSON objects like this:

{
    "friends": [
        { "name": "bob"},
        { "name": "steve"},
        { "name": "joe" }
    ]
}

Using CloudWatch Regex expressions, I would like to extract all the names. I already have a regex that returns the values that I want to:

/"name":[ ]*"([^"]*)"/g

As you can see running in this link: https://regex101.com/r/Bb28Pg/2

Using the CloudWatch grammar, that regex becomes this command:

fields @message
| filter @message like /"friends":/
| parse @message /"name":[ ]*"(?<@name>[^"]*)"/

But this expression only returns the first name, "bob" in the example. I want to get them all. I have tried adding the /g at the end of the expression, but that did not help. I try to find some information in the official docs https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html, but I could not find anything related to this subject.

There is a similar question of this in the Cloudwatch Insights search in multiline logs, but that one is not using parse command and also has no answer.

I have the same question. @Thiago Mata, Were you able to get a solution to this problem? — Mukund Manikarnike, Jul 25 '22 at 17:29
The best solution that I could find was applying one Regex for each value that I wanted to extract, just as in the example in the answer below. — Thiago Mata, Jul 26 '22 at 03:56

score 0 · Answer 1 · answered Feb 26 '20 at 02:54

For a limited and well-known number of child nodes, I could find a very ugly way to do it:

fileds @message
| filter @message like /"friends":/
| parse @message /"name":[ ]*"(?<@name1>[^"]*)"/
| parse @message /"name"(?:(?!"name")(.|\n))+]*"name":[ ]*"([?<@name2>^"]*)/
| parse @message /"name"(?:(?!"name")(.|\n))+]*"name"(?:(?!"name")(.|\n))+]*"name":[ ]*"(?<@name3>[^"]*)/

Basically, it says: search for the name keyword, then keep searching for anything that is not the name keyword, then extract everything between the quotes after the second name keyword. In a similar way to the @name3 but now, jumping to keywords. You can play with this regex in this link https://regex101.com/r/Bb28Pg/3.

With a little extra effort, it is possible to combine all of them in a huge regex.

This is not the solution that I was searching for. But it may be useful to someone.

Here a similar version of the regex but a little better for reading: ```("name"(?:(?!"name")(.|\n))+]*){2}"name":[ ]*"([^"]*)``` https://regex101.com/r/Bb28Pg/4` — Thiago Mata, Apr 06 '20 at 23:56

How to use CloudWatch Insights Regex to don't return after first match, but return a collection

1 Answers1