performing case-insensitive searches in cloudwatch grafana dashboards
- 1 minrecently, i was working on a grafana dashboard that visualizes aws waf logs stored in a cloudwatch log group. one of my tasks was to filter logs based on the user-agent, but i quickly ran into a problem. the user-agent values appeared with inconsistent casing. my initial searches weren’t capturing all variations, leading to incomplete results.
i needed a way to search for a specific user-agent in a case-insensitive manner. this was my initial query for the visualisation:
fields @timestamp, @message
| filter action like "ALLOW"
| parse @message '{"name":"user-agent","value":"*"}' as useragent
| filter useragent like "$useragentsearch"
| sort @timestamp desc
| display @timestamp, useragent, httprequest.uri, httprequest.httpmethodafter a bit of trial and error, i discovered that cloudwatch supports case-insensitive regex by using the (?i) flag. this simple addition to my query solved the problem beautifully. here’s the syntax i used /(?i)$useragentsearch/
here’s how i implemented this in my waf log group query:
fields @timestamp, @message
| filter action like "ALLOW"
| parse @message '{"name":"user-agent","value":"*"}' as useragent
| filter useragent like /(?i)$useragentsearch/
| sort @timestamp desc
| display @timestamp, useragent, httprequest.uri, httprequest.httpmethodnow query scans the log group for entries where the user-agent matches the case-insensitive pattern provided. working with aws waf logs often involves handling messy, inconsistent data. learning to use case-insensitive regex in cloudwatch queries not only saved me time but also improved the reliability of the dashboard.