Supported Logs and Discovered Fields
Overview
CloudWatch Logs Insights provides structured analysis of different AWS service logs by automatically generating system fields and discovering relevant log fields. It supports advanced querying of both standard and custom logs using a purpose-built query language.
Key System Fields Automatically Generated:
@message: Raw, unparsed log event.@timestamp: Timestamp when the event occurred.@ingestionTime: Time the log was ingested by CloudWatch Logs.@logStream: Name of the log stream where the event resides.@log: Identifier in the formaccount-id:log-group-name(helps identify log groups across multiple queries).
Log Field Discovery by Log Type:
VPC Flow Logs: Includes fields like
accountId,interfaceId,srcAddr,dstPort,packets, andprotocol.Route 53 Logs: Captures fields such as
edgeLocation,queryName,responseCode, andresolverIp.Lambda Logs: Includes Lambda-specific metrics such as
@requestId,@duration,@memorySize, and optional X-Ray fields (@xrayTraceId).CloudTrail Logs: Handled as JSON logs with fields accessible using dot notation.
Custom Logs: For logs without auto-discovered fields, use the
parsecommand to extract data.
Dot Notation for JSON Logs:
Access Nested Fields: Example:
"userIdentity.type"retrieves the value of thetypefield insideuserIdentity.Access Array Elements: Example:
"requestParameters.instancesSet.items.0.instanceId"retrieves the firstinstanceId.
Sample Query Using Dot Notation:
fields @timestamp, @message
| filter requestParameters.instancesSet.items.0.instanceId="i-abcde123"
| sort @timestamp descThis query retrieves log events where the instanceId matches "i-abcde123" and sorts them by timestamp in descending order.
Additional Notes:
Log Class Limitation: Field discovery is available only in Standard log class groups.
Naming Convention: CloudWatch Logs Insights adds
@to its generated fields. If a log field name already contains@, it will be displayed with an additional@(e.g.,@@example.com).
Last updated