尝试运行包含reqHeaders.x-forwarded-for的CloudWatch Insights查询,例如
fields @timestamp, status, err, method, url, req_id, reqHeaders.x-forwarded-for
| filter status >= 400
| sort @timestamp desc
| limit 10
,尽管该字段在@message中已正确解析,但始终为空。我怀疑这是由于子字段名称中的连字符引起的。有人知道如何重新格式化查询以使其显示吗?
编辑:这是一个日志消息示例(纯JSON,我刚刚对其进行了格式化)
{
"cache": null,
"client": "172.31.10.31",
"component": "server",
"err": "Invalid access token",
"hostname": "0da665ab5653",
"level": 30,
"method": "PUT",
"msg": "REQ: 401 PUT /api/xxxxxxxxxx",
"name": "rocket",
"pid": 10,
"reqHeaders": {
"accept-encoding": "gzip",
"cloudfront-forwarded-proto": "https",
"cloudfront-is-desktop-viewer": "true",
"cloudfront-is-mobile-viewer": "false",
"cloudfront-is-smarttv-viewer": "false",
"cloudfront-is-tablet-viewer": "false",
"cloudfront-viewer-country": "XX",
"content-length": "74",
"content-type": "application/json; charset=UTF-8",
"host": "xxxxxxxxxx",
"user-agent": "okhttp/3.10.0",
"via": "2.0 28b8fcaccf73021230d8e4a6c3d9e81e.cloudfront.net (CloudFront)",
"x-amz-cf-id": "UqaCCZL9XDze9baJM5dq1fexhqaX9_Qurg2i88A3m-pfrK68Bx93mg==",
"x-amzn-trace-id": "Root=1-5de37d7b-9e9d1ee0ad828a4e316b4f5c",
"x-forwarded-for": "70.31.103.92, 64.252.147.153",
"x-forwarded-port": "443",
"x-forwarded-proto": "https",
"x-newrelic-id": "VgYOV1RaDRADU1RUBwgFUVA=",
"x-request-id": "Root=1-5de37d7b-9e9d1ee0ad828a4e316b4f5c"
},
"reqTime": "2019-12-01T08:44:43.955Z",
"req_id": "Root=1-5de37d7b-9e9d1ee0ad828a4e316b4f5c",
"resMs": 1,
"route": "/api/xxxxxxxxxx",
"routeName": "putapixxxxxxxxxx",
"status": 401,
"time": "2019-12-01T08:44:43.956Z",
"url": "/api/xxxxxxxxxx",
"v": 0
}
答案 0 :(得分:1)
将其放在“`”之间
fields @timestamp, status, err, method, url, req_id, `x-forwarded-for`
答案 1 :(得分:0)
自己找到了
fields @timestamp, status, err, method, url, req_id
| parse @message '"x-forwarded-for":"*"' as ip
| filter status >= 400
| sort @timestamp desc
| limit 10