'How to search for multiple strings in logs using aws cloudwatch log insights query?
For my aws loggroups, I want to write a cloudwatch log insgights query to search for multiple strings in the logs. I tried something like this :
fields @timestamp, @message, @logStream
| filter @message like /(?i)\$\{jndi/
| filter @message like /(?i)\$\{\$\{lower\:j/
| sort @timestamp desc
But, it only searches for first filter which is /(?i)${jndi/ . It does not search for 2nd filter. Can someone help me to find out how can I search for multiple strings using one query?
I could not find any example in aws documents and over internet
Thanks for any help.
Solution 1:[1]
This woked for me :
fields @timestamp, @message, @logStream | filter @message like /(?i)(${jndi|${${lower:j|${${upper:j|${${::-j)|${/ | sort @timestamp desc
Solution 2:[2]
Use the in operator, like following:
AWS Documentation
fields @timestamp, @message, @logStream
| filter @message in ["MyFirstSearchString", "MySecondSearchString", "MyThirdSearchString"]
| sort @timestamp descSolution 3:[3]
@Zabih Khaliqi your code snipped will only find results, if message is exactly one of the values in the list.
If @Sushil is searching "is string in message" I would suggest something like this:
fields @timestamp, @message
| filter strcontains(@message, "jndi") or strcontains(@message, "lower\:j")
| sort @timestamp desc
So using the OR operator of and string operators https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html#CWL_QuerySyntax-operations-functions
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Sushil |
| Solution 2 | Zabih Khaliqi |
| Solution 3 | Daniel Seichter |