AWS Cloudwatch Logs Insights: Query into array

Question

I have a Log Group with this kind of messages.

{
  "m": [
    {
      "id": "5b6973c7c86e8689368b4569",
      "ts": 1634112000.062
    },
        {
      "id": "6116d21e02e38f5045079c42",
      "ts": 1634120807.402
    },
    {
      "id": "60c368ff1085fc0d546fad52",
      "ts": 1634120807.512
    },
    {
      "id": "6053536817a46610797ed472",
      "ts": 1634120809.249
    }
  ]
}

I want to run a query over the field m.*.ts (It's an array). Something like this...

fields @message
| filter (m.*.ts > 1634112000.062 and m.*.ts < 1634120807.000 )

It's posible?

score 0 · Answer 1 · answered Dec 16 '21 at 00:19

0

fields @message
  | parse @message "[*] *" as id, ts
  | filter (ts > 1634112000.062 and ts <  1634120807.000)

answered Dec 16 '21 at 00:19

smcrowley

451
3
10

Could you add some explnation to your answer please. – YLR Dec 20 '21 at 13:47

Transformer · Answer 2 · 2021-12-16T06:13:32.263

0

Hi I don't know what format you want, so try this and you can adapt it, many more samples here on AWS

Option 1: helps you break it down in steps to debug

fields @message
  |"[*] *" as id, ts
  | filter ts > 1634112000.062 
  | filter ts < 1634120807.000

Option 2:

fields @message
  | parse @message '[] * {"*"}' as id, ts
  | filter (ts > 1634112000.062 and ts <  1634120807.000)

edited Dec 16 '21 at 06:13

answered Dec 16 '21 at 06:03

Transformer

6,963
2
26
52

AWS Cloudwatch Logs Insights: Query into array

2 Answers2