How to search for multiple strings in logs using aws cloudwatch log insights query?

Question

For my aws loggroups, I want to write a cloudwatch log insgights query to search for multiple strings in the logs. I tried something like this :

fields @timestamp, @message, @logStream
| filter @message like /(?i)\$\{jndi/
| filter @message like /(?i)\$\{\$\{lower\:j/
| sort @timestamp desc

But, it only searches for first filter which is /(?i)${jndi/ . It does not search for 2nd filter. Can someone help me to find out how can I search for multiple strings using one query?

I could not find any example in aws documents and over internet

Thanks for any help.

Answer 1

@Zabih Khaliqi your code snipped will only find results, if message is exactly one of the values in the list.

If @Sushil is searching "is string in message" I would suggest something like this:

fields @timestamp, @message
| filter strcontains(@message, "jndi") or strcontains(@message, "lower\:j")
| sort @timestamp desc

 

So using the OR operator of and string operators https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html#CWL_QuerySyntax-operations-functions

Answer 2

Use the in operator, like following: AWS Documentation

fields @timestamp, @message, @logStream
| filter @message in ["MyFirstSearchString", "MySecondSearchString", "MyThirdSearchString"]
| sort @timestamp desc

Answer 3

This woked for me :

fields @timestamp, @message, @logStream | filter @message like /(?i)(${jndi|${${lower:j|${${upper:j|${${::-j)|${/ | sort @timestamp desc