Search code examples
amazon-cloudwatchamazon-cloudwatchlogsaws-cloudwatch-log-insights

parse syntax for xml message in CloudWatch Insights

I have a message in XML format. 

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2020-02-11T01:31:11.322195100Z'/><EventRecordID>66919</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='596'/><Channel>System</Channel><Computer>EC2AMAZ-B4Q4STJ</Computer><Security/></System><EventData><Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>running</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0034000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Windows Modules Installer service entered the running state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

I would like to extract field Name in the from the message. I've tried something like this: 

fields @timestamp | parse @message "Name=*" as ProviderName

the result gives me everything in the which is:

'Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2020-02-11T01:31:11.322195100Z'/><EventRecordID>66919</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='596'/><Channel>System</Channel><Computer>EC2AMAZ-B4Q4STJ</Computer><Security/></System><EventData><Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>running</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0034000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Windows Modules Installer service entered the running state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>
Solution

  • Something like this should work:

    fields  @message
| parse @message /.*Provider Name='(?<ProviderName>.*?)'.*/