Parse message in CloudWatch Logs Insights

Question

Here are two example messages of the lambda: WARNING:

Field           Value
@ingestionTime  1653987507053
@log    XXXXXXX:/aws/lambda/lambda-name
@logStream 2022/05/31/[$LATEST]059106a15343448486b43f8b1168ec64
@message    2022-05-31T08:58:18.293Z b1266ad9-95aa-4c4e-9416-e86409f6455e WARN error catched and errorHandler configured, handling the error: Error: Error while executing handler: TypeError: Cannot read property 'replace' of undefined
@requestId  b1266ad9-95aa-4c4e-9416-e86409f6455e
@timestamp  1653987498296

ERROR:

Field           Value
@ingestionTime  1653917638480
@log    XXXXXXXX:/aws/lambda/lambda-name
@logStream 2022/05/30/[$LATEST]bf8ba722ecd442dbafeaeeb3e7251024
@message    2022-05-30T13:33:57.406Z 8b5ec77c-fb30-4eb3-bd38-04a10abae403 ERROR Invoke Error {"errorType":"Error","errorMessage":"Error while executing configured error handler: Error: No body found in handler event","stack":["Error: Error while executing configured error handler: Error: No body found in handler event"," at Runtime.<anonymous> (/var/task/index.js:3180:15)"]}
@requestId  8b5ec77c-fb30-4eb3-bd38-04a10abae403
@timestamp  1653917637407
errorMessage    
Error while executing configured error handler: Error: No body found in handler event
errorType   
Error
stack.0 Error: Error while executing configured error handler: Error: No body found in handler event
stack.1 at Runtime.<anonymous> (/var/task/index.js:3180:15)

Can you help me understand how to set up the query in order to have a table with the following columns and their values: from @message extract timestamp, requestID, type (WARN or ERROR), errorMessage and if feasible also the name of the lambda from @log and the @logStream.

score 5 · Answer 1 · answered Jun 16 '22 at 10:25

5

If we'd look at the documentation on AWS Insights parse method

We can use asterisks * to capture details which for you would be:

fields @timestamp, @message, @log, @logStream, @requestId
| parse @message "* * * *" as timestamp, requestId, type, body
| display @timestamp, @requestId, @log, @logStream, body

If you'd like to also capture the error message try to now parse the body as well:

fields @timestamp, @message, @log, @logStream, @requestId
| parse @message "* * * *" as timestamp, requestId, type, body
| parse body "*,\"errorMessage\":\"*\"*" as startBody, errorMessage, endBody
| display @timestamp, @requestId, @log, @logStream, body, errorMessage

Should work but please feel free to look up any additional information in the AWS documentation, they've made it very thorough

answered Jun 16 '22 at 10:25

Shaked Lokits

86
4

thanks but my problem is related to the third * that should be the type (ERROR or WARNING). For example...if i execute the first query you write for this line of log: `2022-06-16T10:53:04.664Z 9608d897-3268-4a3b-bb5c-7a8e2400f968 ERROR not saved changes statuses to database`, i have this situation: - timestamp OK - requestid OK - type KO: changes (instead of ERROR) - body KO: statuses to database (instead of not saved changes statuses to database) – Emanuele Jun 16 '22 at 11:11
WDYM? that sometimes you need the body instead of the errorMessage? – Shaked Lokits Jun 22 '22 at 12:42
i mean that i don't understand why if i put "parse @message "* * * *" as timestamp, requestId, type, body" and then i choose to display type, it doesn't recognize correctly the type (error, warning, info...) that is correctly in the third place of my logs..... – Emanuele Jun 24 '22 at 11:36

Parse message in CloudWatch Logs Insights

1 Answers1