Which regex parser implementation does Cloudwatch Log Insights use? Which regex parsing options are used?

Question

I need to understand which regex parser implementation Cloudwatch Log Insights uses, and which parsing options it uses.

For example, I can show you a regex which I know is working [here via regex101](https://regex101.com/r/KfxnGv/1).  However, when I embed the regex into a Log Insights query, it doesn't work.

For context, I am happy to share my Log Insights query is here:

```
parse @message '[*] [*] [*] [*] [*] [*]' as category, level, event_id, source, machine, blurb
| filter event_id = '43122'
| parse @blurb /Timestamp: (?.+)[
]+Message: (?[\s\S]*)[
]+Category: (?[\s\S]*)Machine: (?.*)[
]+(?[\s\S]+)/
| display datetime, msg
```

When I execute the Log Insights query above, the fields of `datetime` and `msg` are empty; but the [regex101](https://regex101.com/r/KfxnGv/1) query shows that they should pick up the information that I need.

Answer

Regex norm, as tested against regex 101 tool, should work with log insights queries. But, on your test case there's a different issue here:

The regex is not working as expected because you are using a test string

* **with** new lines - https://regex101.com/r/KfxnGv/1, 
* however the log message that would be published to CW log group is **without** new lines, your regex against this type of string - https://regex101.com/r/ZyRmeu/1 does not work the same.

I would recommend working with JSON log event and then parse, instead of text string. OR, if you cannot change how the log message is published, you can change the regex itself by following this test string:  https://regex101.com/r/ZyRmeu/1

Which regex parser implementation does Cloudwatch Log Insights use? Which regex parsing options are used?

Relevant content