CloudWatch Metric Filter for checking JSON key exists

Question

I'm trying to come up with a metric filter expression that filters CloudWatch Logs when a special JSON key attribute is present.

Use case is the following: the application does all kinds of logging(in JSON format) and whenever it has a special JSON key(nested JSON response from third-part service), I would like to filter it.

Example logs:

{"severity":"INFO","msg":"EVENT","event":{"key1":"value1"}}
{"severity":"INFO","msg":"FooService responded","response":{"response_code":800}}

Filter patterns that I've tried that don't work:

{ $.response }
{ $.response = *}
{ $.response = "*"}
{ $.response EXISTS }
{ $.response IS TRUE }
{ $.response NOT NULL }
{ $.response != NULL }

Expected filtering result:

{"severity":"INFO","msg":"FooService responded","response":{"response_code":800}}

{ $.response EXISTS } does the opposite of what I expect(returns the 1st line rather than then 2nd) but I'm not sure how to negate it.

Reference material: Filter and pattern syntax @ CloudWatch User Guide

JohnRoux · Accepted Answer

I haven't found a good solution.

But I did find one at least.

If you search for a key being != a specific value, it seems to do a null check on it.

So if you say:

{$.response != "something_no_one_should_have_ever_saved_this_response_as"}

Then you get all entries where response exists in your json, and where it's not your string (hopefully all of the valid entries)

Definitly not a clean solution, but it seems to be pretty functional

CloudWatch Metric Filter for checking JSON key exists

Answers (2)

Related Questions