I have a CloudWatch log group that contains log statements in bulk, here I want to filter the logs which contain the string "ABC".
Then I want the count of "XYZ", "PQR",
My current approach:
fields @message
| filter @message like /ABC/
| filter @message like /XYZ/
| stats count() as XYZ_COUNT
fields @message
| filter @message like /ABC/
| filter @message like /PQR/
| stats count() as PQR_COUNT
Can we achieve it in a single query instead?
After digging the docs I got the way we can do it, here it is.
fields @message
| filter @message like /ABC/
| parse @message 'XYZ' as @xyz
| parse @message 'PQR' as @pqr
| stats count(@xyz) as XYZ_COUNT, count(@pqr) as PQR_COUNT
Let me know if any better approach is there.