Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Parse cloudwatch logs using filter patterns

Tags:

amazon-web-services

amazon-cloudwatch

I have this line of lambda function log in cloudwatch that I receive by mail : 

 /aws/lambda/sns-function | 2017/01/10/[$LATEST]425d9138c8d54ab57l0766ba74fdfd4p | 2017-01-10T00:04:30.734Z | 2017-01-10 00:04:30,734 :: ERROR :: error creating /tmp/tmpkRWp3S_20170110/file20170115.tar.gz: Command `['/bin/tar', '--create', '-z', '--file', u'/tmp/tmpkRWp3S_20170110/file20170115.tar.gz', '--', './']' returned non-zero exit status 1

As explained in this doc I want to put filter patterns to get only the important data. For me, I want to get the date only once because in the line above, I have twice this information: 2017-01-10T00:04:30.734Z I tried to use a pattern like this :

[...,timestamp,level,message=*ERROR*,...]

but I got this error:

2017-01-17 10:45:58,091 :: ERROR :: logGroup: '/aws/lambda/sns-function' - logStream: 'None'
2017-01-17 10:45:58,091 :: ERROR :: An error occurred (InvalidParameterException) when calling the FilterLogEvents operation: Duplicate field '...'

How can I parse the log to get the date once ?

like image 767
JavaQueen Avatar asked Jan 17 '17 09:01

JavaQueen

People also ask

How do you aggregate CloudWatch logs?

To run a query with an aggregation functionOpen the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ . In the navigation pane, choose Logs, and then choose Logs Insights. In the Select log group(s) drop down, choose one or more log groups to query.

1 Answers

Metric filters help you search for and match terms, phrases, or values in your log events. They do not remove values from the log event (the timestamp in your case). You could modify your script to exclude the timestamp from the output (since it is already included).

Also, you're using a metric filter for space-delimited log events. Your delimiter seems to be ::, which wouldn't work in this case. The metric filter will interpret this as a single field. If you want to use this metric filter, you can enclose each field in square brackets [] or two double quotes "".

For example, you can use this pattern [timestamp, result=ERROR, message, exit_status=*1*] for the following log event:

[2017-01-10 00:04:30,734] [ERROR] "error creating /tmp/tmpkRWp3S_20170110/file20170115.tar.gz: Command `['/bin/tar', '--create', '-z', '--file', u'/tmp/tmpkRWp3S_20170110/file20170115.tar.gz', '--', './']' returned non-zero" "exit status 1"

NOTE: The reason for the error is that ellipsis should occur only once in the pattern.

like image 145
Khalid T. Avatar answered Oct 30 '22 15:10

Khalid T.
Sign in to Comment

Related questions

Dynamo DB Increment/Unique id generation
Redshift COPY command with "^A" delimiter
Amazon S3 bucket policy for uploading and viewing pictures
Domain name and route53 issue
Does Amazon offer a way to reserve AWS S3 bucket name prefixes?
How to configure AWS S3 to allow POST to work like GET
How do I specify multiple bootstrap actions using aws cli?
How can I make celery die after there are no more tasks to be run?
How do I use AWS S3 without Amazon Cognito?
Will Route53 private hosted zone work over AWS VPC Peering
Multi node cluster installation with h2o on AWS EC2
Terraform remote state s3 bucket creation included in the state file?
Does enabling S3 versioning affect the existing files
Ansible Script dpkg lock on aws launch ubuntu 16.04
Amazon Cloudfront timeout error
Terraform load balancer with multiple listeners
"docker-machine rm" failing on non-existent EC2 instance
AWS Host Multiple Domains On One EC2 Instance
How to use aws athena using nodejs?
Calculate the size of all files in a bucket S3

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!