AWS Cloudwatch Filter and Pattern Syntax

9
votes

I'm following the instructions here https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

but it's not working as i'm expecting it to.

I currently have the following cloudwatch log subscription filter pattern: ? "UNKNOWN_TOPIC_OR_PARTITION" ? " SEVERE " ? " severe " ? " FATAL " ? " fatal " - "closing session"

I would like to match any patter with " fatal " whilst excluding "closing session" from the results.

However, the above filter is matching other log output:

enter image description here

3
amazon-web-servicesamazon-cloudwatchamazon-cloudwatchlogsamazon-cloudwatch-metrics

3 Answers

7
votes

You can't with event filter in CloudWatch... but you can with Logs Insights

CloudWatch -> CloudWatch Logs -> Logs Insights

Or

CloudWatch -> CloudWatch Logs -> Log groups -> [your service logs] -> [Button Logs Insights]

Logs Insights

Logs Insights UI

  1. Log service (you need to pick what logs of your services will to track
  2. In this part you can select the range of time.
  3. Here you have your querybox and here you can put querys like an SQL

So in your case you can with this in the query box

fields @timestamp, @message
| sort @timestamp desc
| filter @message like /SEVERE|severe|FATAL|fatal|closing session/

Now click on run query and you will see only logs that you want with that filters.

1
votes

This bit, in combination with all the ORs, is causing you problems - "closing session". Try removing it a seeing if the rest is matching as expected.

I don't know the syntax to get what you need in a single filter, but to get the same result you can create a separate log filter for each string you want to match. In this case that would be:

  • "UNKNOWN_TOPIC_OR_PARTITION" - "closing session"
  • " SEVERE " - "closing session"
  • " severe " - "closing session"
  • " FATAL " - "closing session"
  • " fatal " - "closing session"

Now you have 5 different metrics. You can use metric math to sum them up, which will give you the metric you need. See here on how to use metric math:

1
votes

Try this Filter pattern:

[(w1="*UNKNOWN_TOPIC_OR_PARTITION*" || w1="*SEVERE*" || w1="*severe*" || w1="*FATAL*" || w1="*fatal*") && w1!="*closing session*"]