'How to extract all matches as array by parsing a JSON message using AWS CloudWatch Logs Insights?
I log messages that are JSON objects. The JSON has an array that contains objects with id:
{
...
"arr": [{"typeId": 1, "foo": "bar"}, {"typeId": 10, "foo": "other"}, ...],
...
}
Now I want to count usage of objects by type by counting all occurrences of their corresponding ID in the array.
I've tried the following query:
filter @message like '"typeId":'
| parse @message '"typeId":*,' as id
| stats count(id) as objCount by id
| sort objCount desc
Which produces a result:
| id | objCount |
|---|---|
| 113 | 28 |
| 1 | 12 |
| 296 | 10 |
| 2 | 9 |
But it looks wrong. It seems to extract only the very first ID value from each message. I know it because if I search logs by filter @message like '"typeId":113,' I get 44 occurrences.
How can I extract all matches by using parse?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|