Amazon Cloudwatch Logs Insights parse with regex
I'm trying to extract an ephemeral field with the parse command. Unfortunately, the log format is such that the glob expression is not enough for it, thus I need to use regex. The regex itself is fine, but I just can't make the command to extract anything.
I'm trying with:
parse @endpoint /^([a-zA-Z_]+)[\/|?]*.*/ as @clean_endpoint
The first group is what I'm after here and I did try with different kinds of quotes etc. It might be just a stupid formatting error, but I just cant' find it.
Pretty much the only documentation mentioning the parse command is here and the example there is using the glob expressions. Couldn't find any examples by googling either.
So anyone bumped into this and solved it?
Answer
Try another approach, like
parse @message /(?<@endpt>(\/[a-zA-Z0-9_]+){1,})/
| stats count_distinct(@endpt) by @endpt
or, alternatively, consider the solution
fields @timestamp
| parse @message /(?<@endpt_post>POST (\/[a-zA-Z0-9_]+){1,})/
| parse @message /(?<@endpt_get>GET (\/[a-zA-Z0-9_]+){1,})/
| stats count() by @endpt_post, @endpt_get
Good luck!