2

When you use the AWS API to run a query against Cloudwatch logs, you get back a queryId.

{
   "queryId": "string"
}

You can then call GetQueryResults using that query ID and retrieve results from the query.

{
   "results": [ 
      [ 
         { 
            "field": "string",
            "value": "string"
         }
      ]
   ],
   "statistics": { 
      "bytesScanned": number,
      "recordsMatched": number,
      "recordsScanned": number
   },
   "status": "string"
}

My question is how long are these query results retained? Can I run a query, and come back a month later to get the results? A year later?

I can't seem to find any documentation from Amazon that explains the retention policy. In the absence of an official source, I'll accept answers based on anecdotal experience using this API.

bjmc
  • 2,970
  • 2
  • 32
  • 46

2 Answers2

1

From the CloudWatch Logs quotas page:

Results from a query are retrievable for 7 days. This availability time can't be changed.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html

Peter Stephens
  • 1,040
  • 1
  • 9
  • 23
  • 1
    Thanks for the answer! I don't even use Cloudwatch any more, but here's hoping others will get some value. – bjmc Aug 03 '23 at 10:33
0

as far as i know, the CW Logs retention is "forever" - see the official documentation page

By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention periods between 10 years and one day.

You do get charged when you retrieved such data.

srodriguez
  • 1,937
  • 2
  • 24
  • 42
  • Sorry, maybe it's not clear from the question: I was asking about the query results specifically, not the raw logs that they're derived from. Maybe they also last forever? – bjmc Apr 02 '19 at 16:49
  • ah, sorry. I do not expect the query and its queryid to be persisted indefinitely, but there are no clearly written retention this granular. Is there a reason why you wouldn't resubmit the query and get a new id? – srodriguez Apr 02 '19 at 16:53
  • I have too many matching results to get back from a single query, so I need to run multiple queries over narrower time intervals, and then collect all the results together after the queries complete. I'm wondering how long I can wait to run the collect task, or if I risk older queries expiring? – bjmc Apr 02 '19 at 16:57
  • 1
    blmc, Did you ever find out an answer to this or notice your queries expiring? I've been creating a bunch of queries as part of development - and my describe_queries function is returning a lot of cruft. – MattS Nov 15 '19 at 02:04
  • 1
    Well this sounds promising in the description for Describe Queries: "Returns a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account." So it sounds like they just fall off after a while. – MattS Nov 15 '19 at 02:10