AWS CloudWatch parse JSON case insensitive

Question

On the WAF section of the AWS console there is a tab for "CloudWatch Log Insights" that provides a few sample queries. One of these is "Top 100 hosts".

fields @timestamp, @message
| parse @message '{"name":"Host","value":"*"}' as host
| stats count(*) as requestCount by host
| sort requestCount desc
| limit 100

This is a somewhat misleading report title for most people I expect. I find about half my traffic uses host as opposed to Host. I spent 30 minutes trying to make this query case insensitive when parsing that header, before giving up, and deciding to ask here.

What is the easiest way to accomplish this?

score 2 · Accepted Answer · answered Feb 02 '22 at 14:46

2

This is how I solved it:

fields @timestamp, @message
| parse @message /\{"name":"(H|h)ost","value":"(?<host>.*?)"\}/
| stats count(*) as requestCount by host
| sort requestCount desc
| limit 100

Changing from glob patterns to regex capture groups allows to also use regexes for other matching.

answered Feb 02 '22 at 14:46

asvinours

36
1

You are a diamond. Fantastic first answer. Thank you!!!!!! – starfry Feb 04 '22 at 14:10
Thanks. This worked. Ended up using `(?i)`. With full filter like: `| parse @message /(?i)\{"name":"HOST","value":"(?.*?|^www\..*)"\}/` – ficuscr Mar 17 '22 at 18:35

AWS CloudWatch parse JSON case insensitive

1 Answers1