In this case you are extracting values from Space-Delimited Log Events so you have to define every field based on the blank spaces.
The filter pattern you should use is:
[,field2 = *Query*, query_time_value>1800,...]
Explanation:
- The first field (text before the first space) is irrelevant in the filter so is not declared
- The second field needs to be filtered as Query to ensure that only the desired logs should be included in the filter
- The third field is the current value of the query time, so here is the filter ( >1800)
- The next fields are not needed so are ignored using "..."
In this way your metric filter should work. I have tested based on your logs and it is the result:
Test result metric filter
Update
According to your log structure you print querytime in 2 different formats. You would need 2 differents filter patterns:
[,,,,,,,,,,,,f13=*Query*,querytimevalue>18,...]
and
[,,,,,,,,f9=*Query*,querytimevalue>18,...]
Another easier option to filter this is using CloudWatch Insights and filter with this query:
parse @message '*Query_time: * *' as f1, querytime, f2
| display querytime
| filter querytime > 18
Consider that CloudWatch Insigths does not allow you to create metrics or alarms based on this query but you can see it in a dashboard.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…