Cloudwatch: merging the result from 2 fields into one

Question

fields @timestamp, @message
| parse durationMs /(?<duration>[\d]+ )/
| parse message /(GET \/[^\s]+ [\d]+ )(?<responseTime>[\d]+)/ 
| display @timestamp, duration, responseTime
| sort @timestamp desc

This query works for me and fetches the values. The query is currently parsing the durationMs field and getting the value into duration field. Also parsing message field and getting the value into responseTime field.

I am looking for a way to parse durationMs and message fields and get the value into only one field. Is this possible? Please help.

score 1 · Answer 1 · answered Jan 20 '23 at 18:11

coalesce function did the job for me.

fields @timestamp, @message
| parse durationMs /(?<duration>[\d]+ )/
| parse message /(GET \/[^\s]+ [\d]+ )(?<responseTime>[\d]+)/ 
| display @timestamp, coalesce(duration, responseTime) as response_time
| sort @timestamp desc

Cloudwatch: merging the result from 2 fields into one

1 Answers1