CloudWatch Logs Insights query syntax - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CloudWatch Logs Insights query syntax

With CloudWatch Logs Insights, you use a query language to query your log groups. The query syntax supports different functions and operations that include but aren't limited to general functions, arithmetic and comparison operations, and regular expressions.

To create queries that contain multiple commands, separate the commands with the pipe character (|).

To create queries that contain comments, set off the comments with the hash character (#).

Note

CloudWatch Logs Insights automatically discovers fields for different log types and generates fields that start with the @ character. For more information about these fields, see Supported logs and discovered fields in the Amazon CloudWatch User Guide.

The following table briefly describes each command. Following this table is a more comprehensive description of each command, with examples.

Note

All CloudWatch Logs Insights query commands are supported on log groups in the Standard log class. Log groups in the Infrequent Access log class support all query commands except pattern, diff, and unmask.

display

Displays a specific field or fields in query results.

fields

Displays specific fields in query results and supports functions and operations you can use to modify field values and create new fields to use in your query.

filter

Filters the query to return only the log events that match one or more conditions.

pattern

Automatically clusters your log data into patterns. A pattern is shared text structure that recurs among your log fields. CloudWatch Logs Insights provides ways for you to analyze the patterns found in your log events. For more information, see Pattern analysis.

diff

Compares the log events found in your requested time period with the log events from a previous time period of equal length, so that you can look for trends and find out if certain log events are new.

parse

Extracts data from a log field to create an extracted field that you can process in your query. parse supports both glob mode using wildcards, and regular expressions.

sort

Displays the returned log events in ascending (asc) or descending (desc) order.

stats

Calculate aggregate statistics using values in the log fields.

limit

Specifies a maximum number of log events that you want your query to return. Useful with sort to return "top 20" or "most recent 20" results.

dedup

Removes duplicate results based on specific values in fields that you specify.

unmask

Displays all the content of a log event that has some content masked because of a data protection policy. For more information about data protection in log groups, see Help protect sensitive log data with masking.

Other operations and functions

CloudWatch Logs Insights also supports many comparison, arithmetic, datetime, numeric, string, IP address, and general functions and operations.

The following sections provide more details about the CloudWatch Logs Insights query commands.

Topics