docs(aws): Removing JSON explanation in the include at match documentation (#1007)

ViBiOh · web-flow · commit aa79f3a69bbb · 2025-10-08T16:30:02.000+02:00
Signed-off-by: Vincent Boutour &lt;vincent.boutour@datadoghq.com&gt;
diff --git a/aws/logs_monitoring/README.md b/aws/logs_monitoring/README.md
@@ -468,6 +468,7 @@ For all configuration options and details, including [Multi-Region deployment][2
 [203]: https://docs.datadoghq.com/getting_started/site/#access-the-datadog-site
 [204]: https://app.datadoghq.com/organization-settings/api-keys
 [205]: https://registry.terraform.io/modules/DataDog/log-lambda-forwarder-datadog/aws/latest#multi-region-deployments
+
 {{% /tab %}}
 {{% tab "Manual" %}}
 
@@ -553,15 +554,14 @@ Datadog recommends using at least 10 reserved concurrency, but this defaults to
 `INCLUDE_AT_MATCH`
 : Only send logs matching the supplied regular expression, and not excluded by `EXCLUDE_AT_MATCH`.
 
-Filtering rules are applied to the full JSON-formatted log, including any metadata that is automatically added by the Forwarder. However, transformations applied by [log pipelines][21], which occur after logs are sent to Datadog, cannot be used to filter logs in the Forwarder. Using an inefficient regular expression, such as `.*`, may slow down the Forwarder.
+Filtering rules are applied to the log message as read by the forwarder. Using an inefficient regular expression, such as `.*`, may slow down the Forwarder.
 
 Some examples of regular expressions that can be used for log filtering:
 
-- Include (or exclude) Lambda platform logs: `"(START|END) RequestId:\s`. The preceding `"` is needed to match the start of the log message, which is in a JSON blob (`{"message": "START RequestId...."}`). Datadog recommends keeping the `REPORT` logs, as they are used to populate the invocations list in the serverless function views.
+- Include (or exclude) Lambda platform logs: `(START|END) RequestId:\s`. Datadog recommends keeping the `REPORT` logs, as they are used to populate the invocations list in the serverless function views.
 - Include CloudTrail error messages only: `errorMessage`.
 - Include only logs containing an HTTP 4XX or 5XX error code: `\b[4|5][0-9][0-9]\b`.
-- Include only CloudWatch logs where the `message` field contains a specific JSON key/value pair: `\"awsRegion\":\"us-east-1\"`.
-    - The message field of a CloudWatch log event is encoded as a string. For example,`{"awsRegion": "us-east-1"}` is encoded as `{\"awsRegion\":\"us-east-1\"}`. Therefore, the pattern you provide must include `\` escape characters, like this: `\"awsRegion\":\"us-east-1\"`.
+- Include only CloudWatch logs where the `message` field contains a specific JSON key/value pair: `"awsRegion":"us-east-1"`.
 
 To test different patterns against your logs, turn on [debug logs](#troubleshooting).
 
