Which regex parser implementation does Cloudwatch Log Insights use? Which regex parsing options are used?


I need to understand which regex parser implementation Cloudwatch Log Insights uses, and which parsing options it uses.

For example, I can show you a regex which I know is working here via regex101. However, when I embed the regex into a Log Insights query, it doesn't work.

For context, I am happy to share my Log Insights query is here:

parse @message '[*] [*] [*] [*] [*] [*]' as category, level, event_id, source, machine, blurb
| filter event_id = '43122'
| parse @blurb /Timestamp: (?<datetime>.+)[\r\n]+Message: (?<msg>[\s\S]*)[\r\n]+Category: (?<unparsed1>[\s\S]*)Machine: (?<instance>.*)[\r\n]+(?<unparsed2>[\s\S]+)/
| display datetime, msg

When I execute the Log Insights query above, the fields of datetime and msg are empty; but the regex101 query shows that they should pick up the information that I need.

asked 6 months ago375 views
1 Answer

Regex norm, as tested against regex 101 tool, should work with log insights queries. But, on your test case there's a different issue here:

The regex is not working as expected because you are using a test string

I would recommend working with JSON log event and then parse, instead of text string. OR, if you cannot change how the log message is published, you can change the regex itself by following this test string: https://regex101.com/r/ZyRmeu/1

profile pictureAWS
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions