CloudWatch Logs Insights display a filed from the Json in the log message

Question

This is my log entry from AWS API Gateway: (8d036972-0445) Method request body before transformations: {"TransactionAmount":225.00,"OrderID":"1545623982","PayInfo":{"Method":"ec","TransactionAmount":225.00},"CFeeProcess":0}

I want to write a CloudWatch Logs Insights query which can display AWS request id, present in the first parenthesis and the order id present in the json.

I'm able to get the AWS request id by parsing the message. How can I get the OrderID json field?

Any help is greatly appreciated.

| parse @message "(*)  Method request body before transformations: *" as awsReqId,JsonBody
#| filter OrderID = "1545623982" This did not work
| display awsReqId,OrderID
| limit 20

score 0 · Answer 1 · answered Feb 01 '23 at 10:27

0

You can do it with two parse steps, like this:

fields @message
| parse @message "(*) Method request body before transformations: *" as awsReqId, JsonBody
| parse JsonBody "\"OrderID\":\"*\"" as OrderId
| filter OrderID = "1545623982"
| display awsReqId,OrderID
| limit 20

Edit: Actually, they way you're doing it should also work. I think it doesn't work because you have 2 space characters between brackets and the word Method here (*) Method. Try removing 1 space.

answered Feb 01 '23 at 10:27

Dejan Peretin

10,891
1
45
54

The second parsing works fine and I can get the OrderID. However I putting the filter OrderID = "1545623982" without doing the second parse does not work. I also see that filter OrderID = "1545623982" is not working with second parsing either. – ICICI81 Feb 01 '23 at 16:23

CloudWatch Logs Insights display a filed from the Json in the log message

1 Answers1