I have been trying to parse the resource arn ex.(arn:aws:ec2:us-east-1:0123456789:volume/vol-gg4gggs0svevb3000) to extract the vol-* on CloudWatch logs insights and unable to get the regex pattern right with desired result.
I have tried using below pattern but no result.
parse @message /.[v,o,l].-([0-9][a-z]){0,17}/
In the pattern that you tried, this part ([0-9][a-z]){0,17} repeats 0 to 17 times a single digit, immediately followed by a single char a-z. The maximum number of chars is therefore 34 in that particular order.
Also note that when repeating a capture group, the group value contains the value of the last iteration. In this case that will be 2 characters.
This part .[v,o,l]. can be written as .[vol,]. and matches 3 chars: a dot which can match any char except a newline, then 1 of either v o l or , because it is a character class and again a dot that can match any char except a newline
Reading this page, the parts that you want to extract should be in a named capture group.
parse @message /(?<volume>vol-[0-9a-z]{17})/
The pattern matches
(?<volume> Named capture group volume
vol- Match literally[0-9a-z]{17} Repeat 17 times any of the listed in the character class) Close named group