I'm streaming the Auth0 logs to the CloudWatch log group and now I would like to query the logs for occurrences of each of the Log Event Type Codes.
The type is in the field: detail.data.type as in this example:
Field Value
---------------------------------------------------------
@ingestionTime 1684845468149
@logStream f802329f-3cf2-3378-91a1-9f3ed9dfca20
@message {"version":"0","id": ...}
@timestamp 1684845467000
detail-type Auth0 log
detail.data.ip 11.22.33.444
detail.data.log_id 90022
detail.data.type seacft
Currently, I'm running this query to count occurrences of each Log event type:
fields @timestamp, detail.data.type
| stats count(detail.data.type) as occurrence_count by detail.data.type
Which produces a bit unclear result:
detail.data.type occurrence_count
1 ssa 4
2 seacft 5
3 s 2
4 scp 1
5 scpr 1
6 fp 1
7 fcpr 1
8 fu 2
What I want to do is to replace the enigmatic ssa s fp with the corresponding Success Silent Auth Success Login Failed Login (Incorrect Password)
Event Type occurrence_count
1 Success Silent Auth 4
3 Success Login 2
6 Failed Login (Password) 1
Can it be done with replace()?
