Menu
I have a pretty straightforward query:
fields @timestamp, req.url, msg
| sort @timestamp desc
| filter msg = "request completed"
| stats count() by req.url
It presents all requests served by my app aggregated by url. However, I would also like to sort the results by the value of aggregate count() - but both | sort count desc and | sort "count()" desc don't work. How can I achieve that?
226
Use the sort command to display log events in ascending ( asc ) or descending ( desc ) order. Use the limit command to specify the number of log events that you want your query to return. Use the parse command to extract data from a log field and create an ephemeral field that you can process in your query.
To run a query with an aggregation function In the navigation pane, choose Logs, and then choose Logs Insights. In the Select log group(s) drop down, choose one or more log groups to query. You can enter the name of log groups that you want to query in the search bar.
To run a CloudWatch Logs Insights sample query In the navigation pane, choose Logs, and then choose Logs Insights. On the Logs Insights page, the query editor contains a default query that returns the 20 most recent log events. In the Select log group(s) drop down, choose one or more log groups to query.
Turns out, all I had to do was to use an alias and then sort by it:
fields @timestamp, msg, req.url
| filter msg="request completed"
| stats count() as count by req.url
| sort count desc
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With