Metric filter for logs JSON data with @ property names

Question

For Logs Insights, it seems rather straightforward to query/filter against JSON data with property names prefixed with '@'   
  
_| filter @@level like /Error/ and @@msgtxt in \["event 1", "event 2"]_  
  
However when it comes to defining filter patterns for custom metrics, the JSON property matching selector does not appear to like '@'  
  
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html  
  
_{ $.@msgtxt = "event 1" || $.@msgtxt = "event 2" }_  
  
will throw   
  
**An error occurred while testing the subscription filter.**  
**Invalid character(s) in term '$.@'**  
  
How should the proper metric filter pattern be like?  
  
Edited by: icelava on Oct 5, 2021 11:33 PM Typo

Answer

I need to filter on JSON properties with @ as a prefix as well. Can Amazon come out and explicitly say whether they don't support fields which start with special characters and that it was a significant oversight or give us a way around this? It's already painful to use this tool after coming from other log providers which support this or show logs from recent to oldest instead.

Answer

The documentation does not explicitly state so, but OR filters can also apply to whole phrases instead of just standalone words.  
  
_?"Event 1" ?"Event 2"_  
  
So have to fall back to plain text-phrase matching instead of JSON selector matching.  
  
Edited by: icelava on Oct 6, 2021 4:28 AM

Answer

Considering the fact that many frameworks, such as "Serilog", use the character @ as the prefix for the log properties, it is very unconvenient that AWS CloudWatch filters don't support this format.

Metric filter for logs JSON data with @ property names

相關內容