filterIndex compared to filter - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

filterIndex compared to filter

To illustrate the difference between filterIndex and filter, consider the following example queries. Assume that you have created a field index for IPaddress, for four of your log groups, but not for a fifth log group. The following query using filterIndex will skip scanning the log group that doesn't have the field indexed. For each indexed log group, it attempts to scan only log events that have the indexed field, and it also returns only results from after the field index was created.

fields @timestamp, @message 
| filterIndex IPaddress = "198.51.100.0" 
| limit 20

In contrast, if you use filter instead of filterIndex for a query of the same five log groups, the query will attempt to scan not only the log events that contain the value in the indexed log groups, but will also scan the fifth log group that isn't indexed, and it will scan every log event in that fifth log group.

fields @timestamp, @message 
| filter IPaddress = "198.51.100.0" 
| limit 20