- Newest
- Most votes
- Most comments
You can use the following query to extract and filter the logs containing "userAbc" from the X-Username header:
parse @message "{'trace': *}" as trace
| filter ispresent(trace.request.headers."X-Username"[0])
and trace.request.headers."X-Username"[0] = "userAbc"
| fields @timestamp, @message, @logStream, @log
| sort @timestamp desc
| limit 1000
This query does the following:
- It uses the
parsecommand to extract the JSON content from the @message field, creating a new field called "trace". - The
filtercommand checks if the X-Username field exists and if its first (and likely only) element matches "userAbc". - We then select the fields we want to display, sort by timestamp in descending order, and limit the results to 1000.
This approach should work even with the hyphen in "X-Username" because we're using dot notation within quotes to access the field.
If you're dealing with flattened JSON where the field names might include dots, you can try using the following alternative syntax:
parse @message "{'trace': *}" as trace
| filter ispresent(get_field(trace, "request.headers.X-Username[0]"))
and get_field(trace, "request.headers.X-Username[0]") = "userAbc"
| fields @timestamp, @message, @logStream, @log
| sort @timestamp desc
| limit 1000
This uses the get_field() function to access nested fields, which can be helpful when dealing with complex JSON structures or field names with special characters.
Remember that the exact structure of your logs may vary, so you might need to adjust the JSON path slightly based on your specific log format.
Sources
parse - Amazon CloudWatch Logs
Hello.
Have you tried enclosing it in backticks as described in the documentation below?
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-Guidelines.html
If a field contains non-alphanumeric characters other than the @ symbol or the period (.), you must surround the field with backtick characters (
). For example, the log field foo-bar must be enclosed in backticks (foo-bar`) because it contains a non-alphanumeric character, the hyphen (-).
I don't have the same logs as you so I can't test your query, but if it's a special character you might be able to escape it with a backslash.
https://stackoverflow.com/questions/58464092/handling-single-quote-in-aws-cloudwatch-logs-insights/58473817
fields @timestamp, @message, @logStream, @log
| filter trace.request.headers.X\-Username = "userAbc"
| sort @timestamp desc
| limit 1000
Relevant content
- asked 3 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 6 months ago
