I am trying to parse AWS Cloudwatch logs, which has error logs as follows
[ERROR] timestamp requestID message1 {'A', 'B', 'C'} message2.
[ERROR] timestamp requestID message1 {'A'} message2.
[ERROR] timestamp requestID message1 {'A'} message2.
[ERROR] timestamp requestID message1 {'B', 'A'} message2.
I want to read the items inside dictionary and create a count plot on it. If the item count is 1, I am able to use the following parsing query, however it breaks when I have more than 1 item
filter @message like /ERROR/
| parse "message1 {*}" as type
| stats count() as count by type
I get the output as
item count
'A', 'B', 'C' - 1
'A' - 2
'B', 'A' - 1
Desired was
'A' - 4
'B' - 2
'C' - 1
I am not sure how to break the dictionary and get the count on it
