CloudWatch Logs Insights : aggregate by time range

Question

I'm new with CloudWatch Logs Insights, and I cant figure out how to aggregate data by time range with 3 columns.

The log file I want to parse is json formatted :

{'ts': '12:01:00', 'method':'GET',  'url':'aaaa'}
{'ts': '12:02:00', 'method':'GET',  'url':'aaab'}
{'ts': '12:03:00', 'method':'POST', 'url':'aaac'}
{'ts': '12:04:00', 'method':'GET',  'url':'aaad'}
{'ts': '12:05:00', 'method':'POST', 'url':'aaae'}
{'ts': '12:06:00', 'method':'GET',  'url':'aaaf'}
{'ts': '12:07:00', 'method':'POST', 'url':'aaag'}

As you can see, each event line is a POST or a GET. Each event is also time stamped.

I want to use Insights to Visualize GET and POST distribution over time in a 5mn window.

I cant find the correct syntax to have such result in the Query monitor :

# : ts       : NbGET  : NbPOST
1 : 12:00:00 : 3      : 1
3 : 12:05:00 : 1      : 2

With such results, I would be able to draw a graph with the two extracted metrics 'GET' and 'POST' .

Any idea how to achieve this ?

Answer 1

I did something similar with the HTTP status. You could use the same logic for the method.

(... parse your logs and get a field method ...)
| parse method /(?<isGet>GET?)/
| parse method /(?<isPost>POST?)/
| parse method /(?<isPut>PUT?)/
| parse method /(?<isDelete>DELETE?)/
| stats count(isGet) as nbGets, count(isPost) as nbPost, count(isPut) as nbPut, count(isDelete) as nbDelete by bin(5m)

Answer 2

This can be achieved by using the 'stats' function binning by the desired time period. For your example this roughly is:

STATS count(method = "GET") as NbGET, count(method = "POST") as NbPOST BY BIN(5m)