Is there a way to extract status codes from below sample logs using boto3? They both belong to one cloudwatch log group. I was able to query any one of them, but not both. Can you help me?
2020-04-28 16:45:11,466 - elasticsearch - INFO - GET http://0.0.0.0:9200/sampledata/_search [status:200 request:0.004s]
2020-04-28 16:45:11,186 - werkzeug - INFO - 0.0.0.0 - - [28/Apr/2020 16:45:11] "POST /v1/savesampledata HTTP/1.1" 200 -
thanks.
I think the following Logs Insights query is what you're looking for:
parse @message /status:(?\d{3}/ | parse @message /" (?\d{3}/ | fields coalesce(status1, status2) as status
If you have the opportunity, consider sending JSON key / value pairs to CloudWatch Logs. It will make your life easier when querying because the fields are automatically discovered and extracted for you.
For example, given a log event like this: { "method": "POST", "status": 200 }
Your query would simply be:
fields status
