AWS Log Insights query with string contains and return string value as alias

Asked Dec 21 '21 at 05:53

Active Dec 21 '21 at 05:53

Viewed 991 times

I have below query to get data from cloudwatch log :

  fields @timestamp, @user, @fileName, @fileType, strcontains(@message,'downloaded') or strcontains(@message,'unauthorized') as status
| parse @message /(?<@user>(?<=User\s).*(?=\shas))/
| parse @message /(?<@fileName>(?<=file\s).+(?=,))/
| parse @message /(?<@fileType>(?<=type\s).+(?="))/

I'm facing issue in selecting status column value. If strcontains(@message,'downloaded') then I want to display status column value as 'Downloaded' and if strcontains(@message,'unauthorized') I want to display status column value as 'Unauthorized'.

Can someone provide input here to improve query to fetch desired results ?? Any help is appreciated.

asked Dec 21 '21 at 05:53

Nilesh Gupta

Can you share examples of log events for both cases (downloaded and unauthorized)? – OARP Dec 23 '21 at 04:13

AWS Log Insights query with string contains and return string value as alias

0 Answers0