I want to be able to filter the eventName of S3 by PutObject and CopyObject.
fields @timestamp, @message, @logStream, @log, detail.eventName
| sort @timestamp desc
| limit 1000
| filter detail.eventName in ["PutObject", "CopyObject"]
The above query only returns 1 result which I expect more
fields @timestamp, @message, @logStream, @log, detail.eventName
| sort @timestamp desc
| limit 1000
| filter detail.eventName in ["PutObject"]
Also returns one result
fields @timestamp, @message, @logStream, @log, detail.eventName
| sort @timestamp desc
| limit 1000
| filter detail.eventName="PutObject"
Returns a few result which is correct.
How do I set the filter so that the result returns EventName is either PutObject and CopyObject.
Yes, it works! What didn't "in" work when applying it to the filter?