How to filter cloudwatch logs on variable field names?

Asked Mar 03 '23 at 10:19

Active Mar 03 '23 at 11:26

Viewed 190 times

Cloudwatch turns our log arrays into numbered fieldnames.

Accessed.file.0 565
...
Accessed.file.## 810

The number of fieldnames is not fixed. Is there way I can search all fields for matching value.

So far my solution is just to generate a search with Access.file.## to go from 1 to 20. But this won't work for searches for 2 matches, or when the number of Accessed.file goes over 20.

fields @timestamp, @message, @logStream, @log
| filter Accessed.file.0=148 or
Accessed.file.1 = 148 or 
Accessed.file.3 = 148 or
Accessed.file.4 = 148 or
Accessed.file.5 = 148 or
Accessed.file.6 = 148 or
Accessed.file.7 = 148 or
Accessed.file.8 = 148 or
Accessed.file.9 = 148 or
Accessed.file.10 = 148 or
Accessed.file.11= 148 or
Accessed.file.12 = 148 or
Accessed.file.13 = 148 or
Accessed.file.14 = 148 or
Accessed.file.15 = 148 or
Accessed.file.16 = 148 or
Accessed.file.17 = 148 or
Accessed.file.18 = 148 or
Accessed.file.19 = 148 or
Accessed.file.20 = 148 or
Accessed.file.21 = 148
| sort @timestamp desc
| limit 20

edited Mar 03 '23 at 11:26

asked Mar 03 '23 at 10:19

OrigamiEye

How to filter cloudwatch logs on variable field names?

0 Answers0