Search code examples
amazon-cloudwatchaws-cloudwatch-log-insights

How to parse logs insight log with same field name

I want to run a query like this:

fields @timestamp, @message
| filter @message like /Failed Token|APN failed/
| parse @message "Failed Token: * Error: *" as token, error
| parse @message "device: * reason: *" as token, error
| display token, error

enter image description here and I get an error that token and error are already defined - obviously because I used it in the first parse. so my question is how can I use the same field names? so I can display only 2 columns - Token and Error? Thanks!

Solution

  • The solution I found for this, is to use parse with a regex, similar to the filter. It gets a bit tricky when needing to write a regex for 2 completely different strings but in this way I managed to parse the fields into the same variable