'parse syntax for xml message in CloudWatch Insights

I have a message in XML format. 

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2020-02-11T01:31:11.322195100Z'/><EventRecordID>66919</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='596'/><Channel>System</Channel><Computer>EC2AMAZ-B4Q4STJ</Computer><Security/></System><EventData><Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>running</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0034000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Windows Modules Installer service entered the running state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

I would like to extract field Name in the from the message. I've tried something like this: 

fields @timestamp | parse @message "Name=*" as ProviderName

the result gives me everything in the which is:

'Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2020-02-11T01:31:11.322195100Z'/><EventRecordID>66919</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='596'/><Channel>System</Channel><Computer>EC2AMAZ-B4Q4STJ</Computer><Security/></System><EventData><Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>running</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0034000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Windows Modules Installer service entered the running state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>
amazon-cloudwatchamazon-cloudwatchlogsaws-cloudwatch-log-insights


Solution 1:[1]

Something like this should work:

fields  @message
| parse @message /.*Provider Name='(?<ProviderName>.*?)'.*/

Solution 2:[2]

@Hector, you can parse the eventid using the following query:

fields @timestamp, @message
| sort @timestamp desc
| parse @message /(?<@eventid>(?<=<EventID>).*(?=<\/EventID))/
| filter @eventid = "<event_id_to_filter>"

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Dejan Peretin
Solution 2 molde81

Related Questions

Amazon Cloudwatch only receiving mem_used_percent and nothing else, despite numerous other metrics specified in config

aws Sagemaker autoscaling with instance metrics per instance

Install SSL certificates in my AWS canary puppeteer script

User is not authorized to perform: SNS:CreateTopic on resource

DiskSpaceUtilization metrics for EC2 instance in python boto script showing empty response

cloudwatch command get-metric-data

CloudWatch Agent: batch size equal to "1" - is it a bad idea?

collectd is reporting "Request is missing Authentication Token" when trying to post the metrics to AWS cloudwatch by custom collectd plugin

Configuring events on the amazon managed blockchain

Cumulative sum of AWS Cloudwatch Metric

CloudWatch Logs Filter case insensitive multiple terms or connected

How to query AWS CloudWatch logs using AWS CloudWatch Insights?

Filtering AWS CloudWatch raw log events by multiple values / AWS CLI

How to Monitor health of AWS cloudwatch agents?

Unable to Start AWS CloudAgent service