AWS Cloudwatch Filter and Pattern Syntax

amazon-web-services amazon-cloudwatch amazon-cloudwatchlogs amazon-cloudwatch-metrics
Ebrahim Moshaya picture Ebrahim Moshaya · May 21, 2019 · Viewed 14.3k times · Source

I'm following the instructions here https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

but it's not working as i'm expecting it to.

I currently have the following cloudwatch log subscription filter pattern: ? "UNKNOWN_TOPIC_OR_PARTITION" ? " SEVERE " ? " severe " ? " FATAL " ? " fatal " - "closing session"

I would like to match any patter with " fatal " whilst excluding "closing session" from the results.

However, the above filter is matching other log output:

enter image description here

Answer

Derek Menénedez picture Derek Menénedez · Sep 27, 2020

You can't with event filter in CloudWatch... but you can with Logs Insights

CloudWatch -> CloudWatch Logs -> Logs Insights

Or

CloudWatch -> CloudWatch Logs -> Log groups -> [your service logs] -> [Button Logs Insights]

Logs Insights

Logs Insights UI

  1. Log service (you need to pick what logs of your services will to track
  2. In this part you can select the range of time.
  3. Here you have your querybox and here you can put querys like an SQL

So in your case you can with this in the query box

fields @timestamp, @message
| sort @timestamp desc
| filter @message like /SEVERE|severe|FATAL|fatal|closing session/

Now click on run query and you will see only logs that you want with that filters.

Related questions

send notification alert when AWS Lambda function has an error

I have a AWS Lambda function running some process in my infrastructure. The Lambda is triggered every 8 hours using a CloudWatch rule. I am trying to raise a notification if any error happens into the Lambda process. I tried to …

Read More
My AWS Cloudwatch bill is huge. How do I work out which log stream is causing it?

I got a $1,200 invoice from Amazon for Cloudwatch services last month (specifically for 2 TB of log data ingestion in "AmazonCloudWatch PutLogEvents"), when I was expecting a few tens of dollars. I've logged into the Cloudwatch section of the AWS Console, …

Read More
Cloudwatch Log Alert - How to include error / exception / stack trace data in email notification

I just configured Cloudwatch logs on my ec2 instances and am loving it so far. I also set up alerts for certain keywords, like "ERROR". While the email alert seems to be working fine, I was wondering if there's a …

Read More