I have logfiles which contain specific spring patterns. These string patterns occur frequently per log event. For example:
<abc>108</abc>xyz<abc>22222</abc>
I want to count the occurence of <abc>
for a specific period of time in CloudWatch.
I did this to count the occurences per minute:
fields @timestamp
| parse @message "<abc>" as abc
| filter strcontains(@message, "<abc>")
| stats count(abc) by bin(1m)
But it just counts one for a log event that contains <abc>
at least once. In the example above I would expect two.
How can I achieve this?
I don't see a single function that will give you what you need, but you can do something like this:
fields @timestamp, @message
| filter strcontains(@message, "<abc>")
| fields (strlen(@message)-strlen(replace(@message, "<abc>", ""))) / strlen("<abc>")