AWS Cloudwatch Log Metrics FilterPattern on XML text

1.2k Views Asked by dcu At 29 May 2020 at 16:55

I am trying to add a filter to AWS Cloudwatch log on XML text that is printed to log file.

e.g. <one> <Test>Something</Test> <Msg>blah blah</Msg></one>

I am trying to put filter pattern on text <Test>Something</Test>. I have tried below options but none of them work. I receive "Invalid metrics filter pattern". There will be lines in the log file that will not have this text as well.

<Test>Something</Test> <Test>Something</Test> <\"Test>\"Something<\"/\"Test>\"

Any suggestions please?

Original Q&A

There are 1 best solutions below

vava044 On 12 January 2021 at 19:57

A bit late but might help future visitors. I got around by using query inside Cloudwatch Logs Insights

Example log generated in Cloudwatch


Timestamp: 2021-01-12T20:50:40.579+01:00

Message: 
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <EventData>
        <Data Name='SubjectUserName'>-</Data>
        <Data Name='SubjectDomainName'>-</Data>
        <Data Name='SubjectLogonId'>0x0</Data>
        <Data Name='TargetDomainName'>NT AUTHORITY</Data>
        <Data Name='LogonProcessName'>NtLmSsp </Data>
        <Data Name='AuthenticationPackageName'>NTLM</Data>
        <Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name='TransmittedServices'>-</Data>
    </EventData>
</Event>

Query to find all events with TargetDomainName=NT AUTHORITY

// very simple regex
fields @message
| filter @message like /<Data Name='TargetDomainName'>NT AUTHORITY<\/Data>/

AWS Cloudwatch Log Metrics FilterPattern on XML text

There are 1 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-CLOUDWATCH

Related Questions in AMAZON-CLOUDWATCH-METRICS

Trending Questions

Popular # Hahtags

Popular Questions