Filtering AWS CloudWatch raw log events by multiple values / AWS CLI

Question

Given the following query on CloudWatch that extracts logs with messages including "entry 1456" (where 1456 is an ID) how should I extend this to take multiple IDs and what is the corresponding CLI command?

fields  @message
| filter @message like "entry 1456"
| limit 10

To clarify I'd like to filter with multiple IDs, for instance "like 1456|1257|879". But not sure of the format of regex in such case.

And I assume the corresponding CLI command will be sth like:

aws logs filter-log-events 
--log-group-name group_name
--app
--filter-pattern ........

Just want to make sure of the best way to formulate this.

You might want to checkout https://github.com/jorgebastida/awslogs — hephalump, Feb 11 '20 at 13:00

score 12 · Answer 1 · answered Feb 11 '20 at 13:15

12

The syntax would be:

fields  @message
| filter @message like /entry [1456|1257]/
| limit 10

You could also parse the logline first and extract the value, like this:

fields  @message
| parse @message /.*entry (?<id>\d+).*/
| filter id in [1257, 1456]
| limit 10

Now for the CLI, you would not use the filter-log-events, but the start-query and get-query-results.

answered Feb 11 '20 at 13:15

Dejan Peretin

10,891
1
45
54

6

Thanks. The first works with parentheses () `fields @message| filter @message like /entry (1456|1257)/` – OmaymaS Feb 11 '20 at 14:29

score 2 · Answer 2 · answered Apr 26 '22 at 17:08

2

Just for visibility and copy/paste ability the current correct syntax is :

fields @message
| filter @message like /entry (1457|1458)/
| limit 20

answered Apr 26 '22 at 17:08

Higgs Bogson

361
2
5

Filtering AWS CloudWatch raw log events by multiple values / AWS CLI

2 Answers2