How to split Cloudwatch field by its value in insights query

Question

I'm trying to create an AWS dashboard visualization that displays the counts of cache hits vs. misses over a period of time. To do this, I'm setting up a log type dashboard with an insights query on the log. To be as simple as possible, my log is either:

{"cache.hit", true} or {"cache.hit", false} .

I would like for my dashboard to track both possibilities on the same graph, but it seems like I can't without breaking my log up into distinct rows for these values. For example, if my logs were simply:

{"cache.hit.true", true} or {"cache.hit.false", true} , then I could create 2 separate graphs to track these values independently in the dashboard, but that's not as clean.

To get them on one dash, I've tried this, but all it does is display the two fields, and the values for both display fields are the same, when they definitely shouldn't be:

fields @timestamp, @message, cache.hit as cache_hits
| filter cache_hits IN [0, 1]
| display cache_hits = 0 as in_cache_false
| display cache_hits = 1 as in_cache_true
| stat count (in_cache_true), count(in_cache_false) by bin(30s)
| sort @timestamp desc
| limit 20

Answer 1

This query below extracts out the cache hits and cache misses and then works out the cache hit percentage.

fields @timestamp, @message
| filter @message like /cache.hit/
| fields strcontains(@message, "true") as @CacheHit,
         strcontains(@message, "false") as @CacheMiss
| stats sum(@CacheHit) as CacheHits, sum(@CacheMiss) as CacheMisses, sum(@CacheHit) / (sum(@CacheMiss) + sum(@CacheHit)) * 100 as HitPercentage by bin(30s)
| sort @timestamp desc