5

I am using AWS Cloudwatch Insights and running a query like this:

fields @message, @timestamp
| filter strcontains(@message, "Something of interest happened")
| stats count() as interestCount by bin(10m) as tenMinuteTime
| stats max(interestCount) by datefloor(tenMinuteTime, 1d)

However, on the last line, I get the following error:

mismatched input 'stats' expecting {K_PARSE, K_SEARCH, K_FIELDS, K_DISPLAY, K_FILTER, K_SORT, K_ORDER, K_HEAD, K_LIMIT, K_TAIL}

It would seem to mean from this that I cannot take multiple layers of stat queries in Insights, and thus cannot take a statistic of a statistic. Is there a way around this?

TheHans255
  • 2,059
  • 1
  • 19
  • 36

1 Answers1

7

You cannot currently use multiple stat commands and from what I know there is no direct way around that at this time. You can however thicken up your single stat command and separate by comma, like so:

fields @message, @timestamp
| filter strcontains(@message, "Something of interest happened")
| stats count() as @interestCount, 
max(interestCount) as @maxInterest, 
interestCount by bin(10m) as @tenMinuteTime

You define fields and use functions after stats and then process those result fields.

Ozone
  • 1,337
  • 9
  • 18
  • 5
    As a note: the `@` in the variable name is not required. Variables that aws provides automatically (such as @timestamp and @message and a few others) are all prefixed with @ - but for your internal variables you dont have to. Just a note for anyone looking in here! – lynkfox Apr 15 '22 at 18:27