How filter Cloudwatch Logs Aws?

angelicamaria · March 30, 2019, 1:57pm

Hello guys,

How do I make the filter take into account the records that are between START and END?

I want to send to Elastic something as this:
{
"_index": "pruebalog:07132017",
"_type": "cloudwatch_logs",
"_id": "23334844787867677",
"_score": null,
"_source": {
"hostName": "AWS LOGS",
"appName": "LAMBDA",
"priority": "ERROR",
"@timestamp": "2019-03-25T15:50:55.000Z",
"message": {
"data": "{
Console Log #0
Console Log #1
Console Log #2
...
...
...
}
}
},
"fields": {
"@timestamp": [
12333333333333
]
}
}

Badger · March 30, 2019, 2:08pm

What do you want the result to be?

angelicamaria · March 30, 2019, 2:56pm

Friend, update the question, thanks for the help.

Badger · March 30, 2019, 3:46pm

That looks like a very good match for Example 1 given in the documentation of the aggregate filter. You have a start event, and end event, and every line has a guid that can be used to correlate them.

system · April 27, 2019, 3:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.