21

I have two Cloudwatch insights queries that I would love to be able to run side by side and compare the results of both two.

stats count(*) as requestIdCount by @requestId 
| filter @message like /START RequestId/
| filter requestIdCount > 1

stats count(*) as requestIdCount by @requestId 
| filter @message like /END RequestId/
| filter requestIdCount > 1

It would be great to be able to do

fields (
    stats count(*) as requestIdCount by @requestId 
    | filter @message like /END RequestId/
    | filter requestIdCount > 1) as EndRequestCount,
       (
    stats count(*) as requestIdCount by @requestId 
    | filter @message like /START RequestId/
    | filter requestIdCount > 1) as StartRequestCount

But I don't see any way to do subqueries in insights right now. Is there a method to combine queries like this?

AlexLordThorsen
  • 8,057
  • 5
  • 48
  • 103

2 Answers2

11

Try this:

parse @message 'START RequestId' as @startRequestId
    | parse @message 'END RequestId' as @endRequestId
    | stats count(@startRequestId) as startRequestIdCount , count(@endRequestId) as endRequestIdCount by bin(5m)
    | filter startRequestIdCount > 1
    | filter endRequestIdCount > 1

CloudWatch Logs Insights Query Syntax

Roberto Rivera
  • 255
  • 2
  • 9
0

You can create a logic via API or CLI in order to use the output of a query as the input of another query

It works as a script where you make a request, interpret the results, and then issue another requests with the results of the first one. It's a bit more work but I'm not aware of another way to do so

Eduardo Yutaka Nakanishi
  • 9
  • 1