AWS Cloudwatch Filter and Pattern Syntax

Asked 21/5, 2019 at 13:49 Answered 20/6, 2024 at 20:11

amazon-web-services amazon-cloudwatch amazon-cloudwatchlogs amazon-cloudwatch-metrics

I'm following the instructions here https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

but it's not working as i'm expecting it to.

I currently have the following cloudwatch log subscription filter pattern: ? "UNKNOWN_TOPIC_OR_PARTITION" ? " SEVERE " ? " severe " ? " FATAL " ? " fatal " - "closing session"

I would like to match any patter with " fatal " whilst excluding "closing session" from the results.

However, the above filter is matching other log output:

Ordure answered 21/5, 2019 at 13:49 Comment(0)

You can't with event filter in CloudWatch... but you can with Logs Insights

CloudWatch -> CloudWatch Logs -> Logs Insights

CloudWatch -> CloudWatch Logs -> Log groups -> [your service logs] -> [Button Logs Insights]

Logs Insights

Log service (you need to pick what logs of your services will to track
In this part you can select the range of time.
Here you have your querybox and here you can put querys like an SQL

So in your case you can with this in the query box

fields @timestamp, @message
| sort @timestamp desc
| filter @message like /SEVERE|severe|FATAL|fatal|closing session/

Now click on run query and you will see only logs that you want with that filters.

Clute answered 27/9, 2020 at 17:55 Comment(3)

This doesn't exclude "closing session" – Withal 26/5, 2021 at 17:57

You can use and @message not like /closing session/ in the filter to exclude the logs with that sentence. – Beadledom 11/11, 2022 at 2:58

Doesn't answer the question because a log insights expression cannot be used in Filters – Zacynthus 7/9, 2023 at 9:42

Try this Filter pattern:

[(w1="*UNKNOWN_TOPIC_OR_PARTITION*" || w1="*SEVERE*" || w1="*severe*" || w1="*FATAL*" || w1="*fatal*") && w1!="*closing session*"]

Calculous answered 11/6, 2021 at 9:26 Comment(4)

This works! But out of curiosity… where is that syntax documented? – Pood 24/11, 2022 at 20:29

@DanielBang you can find more details here: docs.aws.amazon.com/AmazonCloudWatch/latest/logs/…. Section: Using pattern matching to match terms in space-delimited log events – Calculous 28/11, 2022 at 18:32

Thanks! I actually looked at that document before coming here but didn’t get to that part. – Pood 30/11, 2022 at 21:33

I have similar question. #74996339 – Gorky 3/1, 2023 at 18:8

This bit, in combination with all the ORs, is causing you problems - "closing session". Try removing it a seeing if the rest is matching as expected.

I don't know the syntax to get what you need in a single filter, but to get the same result you can create a separate log filter for each string you want to match. In this case that would be:

"UNKNOWN_TOPIC_OR_PARTITION" - "closing session"
" SEVERE " - "closing session"
" severe " - "closing session"
" FATAL " - "closing session"
" fatal " - "closing session"

Now you have 5 different metrics. You can use metric math to sum them up, which will give you the metric you need. See here on how to use metric math:

Dree answered 25/5, 2019 at 9:2 Comment(6)

I'm trying to combine all that into a single filter and can't get it to work. So far I' tried: ? "UNKNOWN_TOPIC_OR_PARTITION" - "closing session" ? " SEVERE " - "closing session" ? " severe " - "closing session" ? " FATAL " - "closing session" ? " fatal " - "closing session" – Ordure 28/5, 2019 at 10:46

My answer is to split it into multiple filters. Not sure how to get it in one filter. – Dree 28/5, 2019 at 12:24

can't split... you can only have a single cloudwatch log filter subscription per log group which can't be changed.... docs.aws.amazon.com/AmazonCloudWatch/latest/logs/… – Ordure 30/5, 2019 at 14:5

You are creating metric filters, not subscription filters. Limit is 100. – Dree 30/5, 2019 at 20:49

Nope, i'm creating subscription cloudwatch filter not metric filter – Ordure 31/5, 2019 at 21:18

Edit the question then to say so. You have more flexibility in that case, you can do extra processing in the lambda. – Dree 1/6, 2019 at 4:59

Finally figured out of how to make it work for json log data - mine are fluent bit add-on logs generated from my eks pods , this example works perfectly for me . The xxxxxx in the test data are just me anonymising it.

My use case is to filter by

error string in log - "400" or "500"
kubernetes.namespace having a string "prod" or "stage" in it

Filter Pattern to generate cloud watch metric filter

{ ($.log = "*400*" || $.log = "*500*" ) && ($.kubernetes.namespace_name = "*prod*" || $.kubernetes.namespace_name = "*stage*")}

Examples for testing

    {"time":"2024-06-20T19:37:54.143939587Z","stream":"stdout","_p":"F","log":"INFO:     xxxxxxx - \"GET /healthz HTTP/1.1\" 200 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-dev","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
{"time":"2024-06-20T19:38:09.143560164Z","stream":"stdout","_p":"F","log":"INFO:     xxxxxxxxxx:36824 - \"GET /healthz HTTP/1.1\" 400 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-prod","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
{"time":"2024-06-20T19:38:24.143866118Z","stream":"stdout","_p":"F","log":"INFO:     xxxxxxxxxx:49414 - \"GET /healthz HTTP/1.1\" 400 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-stage","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}

cheers , upvote if this helps someone who came looking for some examples . Putting it here as I landed here while looking for this .

Tip :- ChatGpt and the docs helps :P

Showman answered 20/6, 2024 at 20:11 Comment(0)

Recommended topics

Hot tags