How to filter CloudWatch logs from Lambda with a JSON Metric Filter

4
votes

Using the example straight from documentation, in a lambda function I put:

console.log(
        {
          "eventType": "UpdateTrail",
          "sourceIPAddress": "111.111.111.111",
          "arrayKey": [
                "value",
                "another value"
          ],
          "objectList": [
               {
                 "name": "a",
                 "id": 1
               },
               {
                 "name": "b",
                 "id": 2
               }
          ],
          "SomeObject": null,
          "ThisFlag": true
        })

I then create a logs metric filter in CloudWatch with a filter pattern as specified in the docs example:

{ $.eventType = "UpdateTrail" }

The filter doesn't generate a metric like the documentation says it should - here's the output:

2017-10-23T13:27:19.320Z    1143e2b0-eea6-4225-88c0-efcd79055f7b    { eventType: 'UpdateTrail',
sourceIPAddress: '111.111.111.111',
arrayKey: [ 'value', 'another value' ],
objectList: [ { name: 'a', id: 1 }, { name: 'b', id: 2 } ],
SomeObject: null,
ThisFlag: true }

So as you can see the timestamp and the identifier are prepended to the JSON.

An answer in Amazon Cloudwatch log filtering - JSON syntax says it is because Lambda turns logs into a string. How to parse mixed text and JSON log entries in AWS CloudWatch for Log Metric Filter says much the same. A solution isn't offered in either case. How do you filter CloudWatch logs from Lambda with a JSON Metric Filter?

1
jsonaws-lambdaamazon-cloudwatchamazon-cloudwatch-metrics

1 Answers

4
votes

Look at what the log line actually looks like. If you see something like this, it's not a valid json:

{ eventType: 'UpdateTrail', ... }

What you want is something like this (note the quotation):

{ "eventType": "UpdateTrail", ...}

To get that, try to wrap your object in JSON.stringify(), like this:

console.log(
        JSON.stringify(
            {
              "eventType": "UpdateTrail",
              "sourceIPAddress": "111.111.111.111",
              "arrayKey": [
                    "value",
                    "another value"
              ],
              "objectList": [
                   {
                     "name": "a",
                     "id": 1
                   },
                   {
                     "name": "b",
                     "id": 2
                   }
              ],
              "SomeObject": null,
              "ThisFlag": true
            }
        )
    )