Cloudwatch insight grok extract json as field

Question

I am trying to extra a json field which can be either null or array.

example logs is;

04 Jun 2020 09:48:00,741 [32m[INFO] [m 4277a4fa-13fe-49f9-8348-9c515c988481  Class1: Method1: {"property1":"property1Value","property2":["string1", "string2"] , "property3": "property3Value"  }
04 Jun 2020 09:48:00,741 [32m[INFO] [m 4277a4fa-13fe-49f9-8348-9c515c988481  Class1: Method1: {"property1":"property1Value","property2":null , "property3": "property3Value"  }

Currently I am able to write a grok pattern which can either extract if property 2 is array

| parse "*property2*]*" as blah1, property2, blah2

Is there a way I can extract out null also here ?

Os is there a way to just convert @message to json object ?

score 0 · Answer 1 · answered Jul 17 '20 at 11:20

You can use (?:case1|case2) for case1 or case2.
For your example: "property2":(?:null|\[(?<property2>.*?)])

This gives:

for input "property2":["string1", "string2"] (your first log line):
"property2": [[ ""string1", "string2"" ]]

for input "property2":null (your second log line):
"property2": [[ null ]]

You can test it at http://grokdebug.herokuapp.com/

Cloudwatch insight grok extract json as field

1 Answers1