尝试运行包含reqHeaders.x-forwarded-for以下内容的 CloudWatch Insights 查询:
fields @timestamp, status, err, method, url, req_id, reqHeaders.x-forwarded-for
| filter status >= 400
| sort @timestamp desc
| limit 10
但该字段始终为空,尽管已正确解析@message。我怀疑这是因为子字段名称中的连字符。有谁知道如何重新格式化查询以使其显示?
编辑:这是一个日志消息示例(纯 JSON,我只是对其进行了格式化)
{
"cache": null,
"client": "172.31.10.31",
"component": "server",
"err": "Invalid access token",
"hostname": "0da665ab5653",
"level": 30,
"method": "PUT",
"msg": "REQ: 401 PUT /api/xxxxxxxxxx",
"name": "rocket",
"pid": 10,
"reqHeaders": {
"accept-encoding": "gzip",
"cloudfront-forwarded-proto": "https",
"cloudfront-is-desktop-viewer": "true",
"cloudfront-is-mobile-viewer": "false",
"cloudfront-is-smarttv-viewer": "false",
"cloudfront-is-tablet-viewer": "false",
"cloudfront-viewer-country": "XX",
"content-length": "74",
"content-type": "application/json; charset=UTF-8",
"host": "xxxxxxxxxx", …amazon-cloudwatch amazon-cloudwatchlogs aws-cloudwatch-log-insights