AWS Cloudwatch Logs Subscription Parser
Parse logs from AWS Cloudwatch Logs
egress: batch
state: stateless
output: log
status: deprecated
Warnings
This transform has been deprecated in favor of the remap
transform, which enables you to use Vector Remap Language (VRL for short) to
create transform logic of any degree of complexity. The examples below show how you can use VRL to
replace this transform’s functionality.
.message = parse_aws_cloudwatch_log_subscription_message(.message)
Configuration
Example configurations
{
"transforms": {
"my_transform_id": {
"type": "aws_cloudwatch_logs_subscription_parser",
"inputs": "my-source-or-transform-id",
"field": "message"
}
}
}[transforms.my_transform_id]
type = "aws_cloudwatch_logs_subscription_parser"
inputs = "my-source-or-transform-id"
field = "message"
---
transforms:
my_transform_id:
type: aws_cloudwatch_logs_subscription_parser
inputs: my-source-or-transform-id
field: message
{
"transforms": {
"my_transform_id": {
"type": "aws_cloudwatch_logs_subscription_parser",
"inputs": "my-source-or-transform-id",
"field": "message"
}
}
}[transforms.my_transform_id]
type = "aws_cloudwatch_logs_subscription_parser"
inputs = "my-source-or-transform-id"
field = "message"
---
transforms:
my_transform_id:
type: aws_cloudwatch_logs_subscription_parser
inputs: my-source-or-transform-id
field: message
field
common optional stringThe log field to decode as an AWS CloudWatch Logs Subscription JSON event. The field must hold a string value.
default:
messageinputs
required [string]A list of upstream source or transform
IDs. Wildcards (*) are supported but must be the last character in the ID.
See configuration for more info.
Output
Telemetry
Metrics
linkevents_in_total
counterThe number of events accepted by this component either from tagged
origin like file and uri, or cumulatively from other origins.
component_kind
required
The Vector component kind.
component_name
required
The Vector component name.
component_type
required
The Vector component type.
container_name
optional
The name of the container from which the event originates.
file
optional
The file from which the event originates.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the event originates.
peer_path
optional
The pathname from which the event originates.
pod_name
optional
The name of the pod from which the event originates.
uri
optional
The sanitized URI from which the event originates.
events_out_total
counterThe total number of events emitted by this component.
component_kind
required
The Vector component kind.
component_name
required
The Vector component name.
component_type
required
The Vector component type.
processed_bytes_total
counterThe number of bytes processed by the component.
component_kind
required
The Vector component kind.
component_name
required
The Vector component name.
component_type
required
The Vector component type.
container_name
optional
The name of the container from which the bytes originate.
file
optional
The file from which the bytes originate.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the bytes originate.
peer_path
optional
The pathname from which the bytes originate.
pod_name
optional
The name of the pod from which the bytes originate.
uri
optional
The sanitized URI from which the bytes originate.
processed_events_total
counterThe total number of events processed by this component.
This metric is deprecated in place of using
events_in_total and
events_out_total metrics.component_kind
required
The Vector component kind.
component_name
required
The Vector component name.
component_type
required
The Vector component type.
Examples
Default
Given this event...{
"log": {
"message": "\t{\n\t \"messageType\": \"DATA_MESSAGE\",\n\t \"owner\": \"111111111111\",\n\t \"logGroup\": \"test\",\n\t \"logStream\": \"test\",\n\t \"subscriptionFilters\": [\n\t\t\"Destination\"\n\t ],\n\t \"logEvents\": [\n\t\t{\n\t\t \"id\": \"35683658089614582423604394983260738922885519999578275840\",\n\t\t \"timestamp\": 1600110569039,\n\t\t \"message\": \"{\"bytes\":26780,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"157.130.216.193\",\"method\":\"PUT\",\"protocol\":\"HTTP/1.0\",\"referer\":\"https://www.principalcross-platform.io/markets/ubiquitous\",\"request\":\"/expedite/convergence\",\"source_type\":\"stdin\",\"status\":301,\"user-identifier\":\"-\"}\"\n\t\t},\n\t\t{\n\t\t \"id\": \"35683658089659183914001456229543810359430816722590236673\",\n\t\t \"timestamp\": 1600110569041,\n\t\t \"message\": \"{\"bytes\":17707,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"109.81.244.252\",\"method\":\"GET\",\"protocol\":\"HTTP/2.0\",\"referer\":\"http://www.investormission-critical.io/24/7/vortals\",\"request\":\"/scale/functionalities/optimize\",\"source_type\":\"stdin\",\"status\":502,\"user-identifier\":\"feeney1708\"}\"\n\t\t}\n\t ]\n\t}"
}
}[transforms.my_transform_id]
type = "aws_cloudwatch_logs_subscription_parser"
inputs = [ "my-source-or-transform-id" ]
field = "message"
---
transforms:
my_transform_id:
type: aws_cloudwatch_logs_subscription_parser
inputs:
- my-source-or-transform-id
field: message
{
"transforms": {
"my_transform_id": {
"type": "aws_cloudwatch_logs_subscription_parser",
"inputs": [
"my-source-or-transform-id"
],
"field": "message"
}
}
}{
"log": {
"id": "35683658089614582423604394983260738922885519999578275840",
"log_group": "test",
"log_stream": "test",
"message": "{\"bytes\":26780,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"157.130.216.193\",\"method\":\"PUT\",\"protocol\":\"HTTP/1.0\",\"referer\":\"https://www.principalcross-latform.io/markets/ubiquitous\",\"request\":\"/expedite/convergence\",\"source_type\":\"stdin\",\"status\":301,\"user-identifier\":\"-\"}",
"owner": "111111111111",
"subscription_filters": [
"Destination"
],
"timestamp": "2020-09-14T19:09:29.039Z"
}
}How it works
Structured Log Events
Note that the events themselves are not parsed. If they are structured data, you will typically want to pass them through a parsing transform.