2

I have been trying to parse the resource arn ex.(arn:aws:ec2:us-east-1:0123456789:volume/vol-gg4gggs0svevb3000) to extract the vol-* on CloudWatch logs insights and unable to get the regex pattern right with desired result.

I have tried using below pattern but no result.

parse @message /.[v,o,l].-([0-9][a-z]){0,17}/
The fourth bird
  • 154,723
  • 16
  • 55
  • 70
Joshua K
  • 23
  • 1
  • 5

1 Answers1

1

In the pattern that you tried, this part ([0-9][a-z]){0,17} repeats 0 to 17 times a single digit, immediately followed by a single char a-z. The maximum number of chars is therefore 34 in that particular order.

Also note that when repeating a capture group, the group value contains the value of the last iteration. In this case that will be 2 characters.

This part .[v,o,l]. can be written as .[vol,]. and matches 3 chars: a dot which can match any char except a newline, then 1 of either v o l or , because it is a character class and again a dot that can match any char except a newline

Reading this page, the parts that you want to extract should be in a named capture group.

parse @message /(?<volume>vol-[0-9a-z]{17})/

The pattern matches

  • (?<volume> Named capture group volume
    • vol- Match literally
    • [0-9a-z]{17} Repeat 17 times any of the listed in the character class
  • ) Close named group

Regex demo

The fourth bird
  • 154,723
  • 16
  • 55
  • 70
  • Thank you so much. that worked. I'm also trying to merge two queries based a common column but I haven't find anywhere in the document you mentioned or any source that I can. Any clue about it?. Thanks again – Joshua K Dec 20 '20 at 01:25
  • About the question of the merging of 2 columns, unfortunately I don't have an answer to that, but you could always consider posting a new question. – The fourth bird Dec 20 '20 at 10:34
  • 1
    Sure. Thanks much – Joshua K Dec 21 '20 at 14:32