- The S3 bucket name is not part of the path, so don’t include the bucket name when you are setting the Path Expression. They are separate entities.
- Amazon path expressions DO NOT use a leading forward slash. To collect all logs at a hierarchical level, use some portion of the source path and a single asterisk as a wildcard. You can use only one wildcard in the path expression.
For example, using /name/* for the path expression would result in no file objects being found, due to the leading forward slash. Instead, use name/*.
In another example, AWS CloudTrail logging generates a new folder every day that looks like this:
To gather all logs under the CloudTrail level, use the file path CloudTrail/*, which will collect files such as:
Another example would be to collect only the objects found in the 2014 path matching .json.gz. To do so, use the file path
Updating Path Expressions
You can update a Path Expression at any time. However, if you change a Path Expression, only new logs will be collected; any logs that existed before the change will not be re-ingested.