Amazon Cloudwatch Logs Insights with JSON fields

Question

I am trying to use Logs Insights with data containing JSON in one of the fields, and to parse the JSON fields

My data looks like the following when I put it in insig

Answer 1

CloudWatch Insights Logs automatically discovers fields for the following log types:

Lambda logs

CloudWatch Logs Insights automatically discovers log fields in Lambda logs, but only for the first embedded JSON fragment in each log event (Note: emphasis mine). If a Lambda log event contains multiple JSON fragments, you can parse and extract the log fields by using the parse command. For more information, see Fields in JSON Logs.

CloudTrail logs

See fields in JSON logs.

Source: Supported Logs and Discovered Fields

If @message is I, [2018-12-11T13:20:27] INFO -- : {"method":"GET"}

Then you can select and filter the fields like so:

fields @timestamp, @message, method
| filter method = "GET"
| sort @timestamp desc

It works with nested fields too, i.e. params.format = "json" or results.0.firstName = "Paul".