How do I use the replace command to change the value of a custom field?

0

CloudWatch documentation on page https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-operations-functions.html shows the existence of a replace command but there is no example of how to use it.

Could someone give an example of how to replace the content of a custom field?

I am trying to make a table out of some logs and wanted to change some of the values for mor human readable values. Some fields shows a code and I would like to change those codes for its meaning so the people I send the table doesn't need to be looking up for the values on a different document.

When I used Splunk, I could submit a sheet to the engine and it will do the transformations for me but I don't know how to do this on CloudWatch.

Any help would be greatly appreciated.

Thank you.

3 Answers
0

I found the way, below a sample query...

fields @message
| filter @message like 'userDetails'
| parse @message "<platform>M</platform> as platformCode
| fields replace(platformCode, "M", "Mobile Native") as platform
| display platform
Miguel
answered 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago
  • This didn't work as I expected since I have a few codes to check for. If you have one single code to replace, then it will work fine.

0

How could I make it work when I have four platform codes?

fields @message 
| filter @message like 'userDetails' 
| parse @message "<platform>*</platform> as platformCode 
| fields replace(platformCode, "N", "Native") as platform 
| fields replace(platformCode, "W", "Web") as platform 
| fields replace(platformCode, "A", "Android") as platform 
| fields replace(platformCode, "I", "iPhone") as platform 
| display platform

This display things like...

'WWAndroidI'

Each replace line is adding a single character.

Any ideas?

I thought there would be some sort of 'if' command so I could do some conditional like if(platformCode = "N", "Native") or similar thing.

Miguel
answered 5 months ago
0

I finally made it work...

fields @message 
| filter @message like 'userDetails' 
| parse @message "<platform>*</platform> as platformCode 
| fields if(platformCode = "W", "Web", if(platformCode = "A", "Android", if(platformCode = "I", "iPhone", ""))) as thePlatform
| display thePlatform
Miguel
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions