Search code examples
amazon-cloudwatchaws-cloudwatch-log-insights

CloudWatch: Count number of occurrences of a specific string in logfiles


I have logfiles which contain specific spring patterns. These string patterns occur frequently per log event. For example:

<abc>108</abc>xyz<abc>22222</abc>

I want to count the occurence of <abc> for a specific period of time in CloudWatch.

I did this to count the occurences per minute:

fields @timestamp
| parse @message "<abc>" as abc
| filter strcontains(@message, "<abc>")
| stats count(abc) by bin(1m)

But it just counts one for a log event that contains <abc> at least once. In the example above I would expect two.

How can I achieve this?


Solution

  • I don't see a single function that will give you what you need, but you can do something like this:

    fields @timestamp, @message
    | filter strcontains(@message, "<abc>")
    | fields (strlen(@message)-strlen(replace(@message, "<abc>", ""))) / strlen("<abc>")