pattern - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

pattern

Use pattern to automatically cluster your log data into patterns.

A pattern is shared text structure that recurs among your log fields. You can use pattern to surface emerging trends, monitor known errors, and identify frequently occurring or high-cost log lines. CloudWatch Logs Insights also provides a console experience you can use to find and further analyze patterns in your log events. For more information, see Pattern analysis.

Because the pattern command automatically identifies common patterns, you can use it as a starting point to search and analyze yours logs. You can also combine pattern with the filter, parse, or sort commands to identify patterns in more fine-tuned queries.

Pattern Command Input

The pattern command expects one of the following inputs: the @message field, an extracted field created using the parse command, or a string manipulated using one or more String functions.

Pattern Command Output

The pattern command produces the following output:

  • @pattern: A shared text structure that recurs among your log event fields. Fields that vary within a pattern, such as a request ID or timestamp, are represented by <*>. For example, [INFO] Request time: <*> ms is a potential output for the log message [INFO] Request time: 327 ms.

  • @ratio: The ratio of log events from a selected time period and specified log groups that match an identified pattern. For example, if half of the log events in the selected log groups and time period match the pattern, @ratio returns 0.50

  • @sampleCount: A count of the number of log events from a selected time period and specified log groups that match an identified pattern.

  • @severityLabel: The log severity or level, which indicates the type of information contained in a log. For example, Error, Warning, Info, or Debug.

Examples

The following command identifies logs with similar structures in specified log group(s) over the selected time range, grouping them by pattern and count

pattern @message

The pattern command can be used in combination with the filter command

filter @message like /ERROR/
| pattern @message

The pattern command can be use with the parse and sort commands

filter @message like /ERROR/
| parse @message 'Failed to do: *' as cause
| pattern cause
| sort @sampleCount asc