Menu
How do I use AWS Cloudwatch Log Insights' replace function?
The docs do not give working examples.
Given logs which contain paths such as /api/lumberjack/123/axe/456/fashion
I am trying:
fields message
| parse message "path=* " as path
| fields replace(path, /[0123456789]+/, 'ID') as uniqpath
| stats count(*) by uniqpath
I expect results like:
uniqpath | count
/api/lumberjack/ID/axe/ID/fashion | 12
/api/lumberjack/ID/beardedness | 44
But instead it complains "Invalid arguments, received: (path) but expected: (str: string,searchValue: string,replaceValue: string)"
625
The replace function accepts fields as input for the first argument.
What is not supported is the second argument. You are passing a regex which is not recognized as a string.
I have not found a way to convert the regex to string. But at least you can pass the fieldname path for the first param. I have tested it changing the regex for a normal string.
Query:
fields @message
| parse @message "path=*" as path
| fields replace(path, 'lumberjack', 'ID') as uniqpath
| stats count(*) by uniqpath
Results:
65
answered Jun 07 '26 19:06
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With