CloudWatch logs insights strcontains not working

Question

I have a CloudWatch log group where all the logs are JSON objects that look like

{
   "job-name": "bb0e964b-a7f8-41e3-b1fc-8de4306c0b84",
   "event-name": "PERSIST_LAMBDA_INVOKED",
   "log-message": "Persistence lambda invoked for line 238."
}

I'm trying to get all messages where event-name is "HUMAN_TASK_FAILED"

Note that event-name is a discovered field.

However, the following query doesn't return any matches

fields @timestamp, @message, strcontains(event-name, "HUMAN_TASK_FAILED") as found 
| filter found = 1

I've also tried running the query below to debug,

fields @timestamp, @message, strcontains(event-name, "HUMAN_TASK_FAILED") as found

but the found column is always blank (even when event-name is "HUMAN_TASK_FAILED")

score -1 · Accepted Answer · answered Dec 04 '21 at 02:45

Both queries are ok. The problem is related to the field format.

It seems that CloudWatch Logs Insights does not work well with fields containing hyphen ("-"). I have tested changing in the log events event-name by event_name, run the query and it works fine.

CloudWatch logs insights strcontains not working

1 Answers1