CloudWatch InSights: how to extract/query json object array

Question

We have logs published to CloudWatch like this(flattened JSON data using json.dumps()):

[
  {"Value": 9, "id": "ia-122"}, 
  {"Value": 13, "id": "ia-123"}, 
  {"Value": 14, "id": "ia-100"}
]

In the above logs, there're 3 objects in an array. When I query from CloudWatch Insight with query expression like this:

field @message
| parse '"Value": *,' as value
| filter value > 12

The log provided above won't be returned since the first value is 9 (not bigger than 12).

How can I query to get the correct result? [Note: the number of objects in a single log is not always 3]

score 0 · Answer 1 · answered Oct 14 '20 at 18:27

0

Turns out it is tricky to do so. Modified my logs into this:

{"Value": 9, "id": "ia-122"}

{"Value": 13, "id": "ia-123"}

{"Value": 14, "id": "ia-100"}

as 3 separate records.

answered Oct 14 '20 at 18:27

Howard Liu

1 Answers1