I am logging messages in AWS CloudWatch with the following format:
code=CAPTURE order={nnnnn}, where nnnn is a numeric value.
Is it possible to find all messages which have the same order value (duplicates), by taking into consideration that they are duplicated only if the messages were logged within 6 mins?
So far I have managed to only find all messages which have the same value for order, but I couldn't manage to figure out how to also check the timestamp:
fields @timestamp, @message
| filter @message like /order=(\d+)/ and @message like "event=CAPTURE"
| parse @message "order=* *" as order
| stats count(*) as log_count by order
| filter log_count > 1
| limit 20
