AWS Cloudwatch how to use parse regex for request uri?
I have an AWS Cloudwatch log in the following format
| timestamp | request_uri |
|---|---|
| 2023-04-19 00:00:00 | /v1/categorya/producta?model=112 |
| 2023-04-19 00:00:00 | /v1/categorya/producta?model=11432 |
| 2023-04-19 00:00:00 | /v1/categoryb/productb?model=1145432 |
I want to group by request_uri to get the number of calls for a certain endpoint in Cloudwatch so that I can analyze the number of times an endpoint is called during a certain period of time. Currently, I'm using the following query
fields request_uri
| parse request_uri "(\/v1\/[a-z]+\/[a-z]+)" as uri
| stats count(*) by uri
But I think parse is not able to parse request_uri correctly since it shows null for all the values in uri column when I display it. I need help with parsing the correct regex for getting the following results
| uri | count(*) |
|---|---|
| /v1/categorya/producta | 2 |
| /v1/categoryb/productb | 1 |
When I'm using the following I get null in the created column
fields request_uri
| parse request_uri "(\/[a-z]+)" as uri
So it is clear for me that Cloudwatch is not able to parse the regex but not sure what is wrong with the regex or cloudwatch insights query.
CloudWatch requires you to name your capture group when performing parsing with regex.
Also, the expression must be surrounded with forward slashes / instead of quotation marks.
A correct parse statement in your case would look like this:
parse request_uri /(?<uri>\/v1\/[a-z]+\/[a-z]+)/
As you can see, there is no need for as, since the field name is derived from the named capture group. This can be used to extract multiple fields using a single regular expression.