Extract and Display First Part of a Field in CloudWatch Query Results

Question

I am trying to write a CloudWatch Log Insights query which will extract the first part of a string field up to a forward slash '/' character, which is always present in the string. Example input log lines for field named "fruit" follow:
  blue/berries
  red/apple

I need to extract the first part of the "fruit" field up to the forward slash '/' character and display it in the query results as follows, using the example input lines above:
  blue
  red

The "fruit" field is not a blob field, e.g., JSON--it's just a single string. I tried various iterations using the parse command with no luck. I also tried different ideas for using a regular expression to extract the first part of the string up to the forward slash '/' character with no luck. I searched for hints in StackOverflow too but didn't land on anything successful.

I have verified using a regular expression checker that the following will extract the first part of the string up to the forward slash character:
/^.*?(?=\/)/

I haven't been able to figure out how to apply the regular expression in the query correctly so that it is evaluated and displayed. Any ideas? Thank you.

Accepted Answer

Hello,

If the logs are in pure JSON format, CloudWatch Logs automatically discovers the log fields contained in the logs and you can reference the field directly as in the query below.

----------------------------------------

```
parse fruit "*/*" as color, product
 | display color
```

----------------------------------------

Note: color, product are variable names here.

If the logs are in non-JSON format , we would require a sample log to build the query. Keeping in mind your data privacy, you can open a technical support case with AWS using the link (https://console.aws.amazon.com/support) and then share a sample log on the case. AWS Premium Support engineers will assist you accordingly.

Extract and Display First Part of a Field in CloudWatch Query Results

Relevant content