Supported logs and discovered fields
CloudWatch Logs Insights supports different log types. For every log that's sent to a Standard class log group in Amazon CloudWatch Logs, CloudWatch Logs Insights automatically generates five system fields:
-
@messagecontains the raw unparsed log event. This is the equivalent to themessagefield in InputLogevent. -
@timestampcontains the event timestamp in the log event'stimestampfield. This is the equivalent to thetimestampfield in InputLogevent. -
@ingestionTimecontains the time when CloudWatch Logs received the log event. -
@logStreamcontains the name of the log stream that the log event was added to. Log streams group logs through the same process that generated them. -
@logis a log group identifier in the form ofaccount-id:log-group-name -
@entitycontains flattened JSON related to entities for the Explore related telemetry feature.For example, this JSON can represent an entity.
{ "Entity": { "KeyAttributes": { "Type": "Service", "Name": "PetClinic" }, "Attributes": { "PlatformType": "AWS::EC2", "EC2.InstanceId": "i-1234567890123" } } }For this entity, the extracted system fields would be the following:
@entity.KeyAttributes.Type = Service @entity.KeyAttributes.Name = PetClinic @entity.Attributes.PlatformType = AWS::EC2 @entity.Attributes.EC2.InstanceId = i-1234567890123
Note
Field discovery is supported only for log groups in the Standard log class. For more information about log classes, see Log classes.
CloudWatch Logs Insights inserts the @ symbol at the start of fields that it generates.
For many log types, CloudWatch Logs also automatically discovers the log fields contained in the logs. These automatic discovery fields are shown in the following table.
For other types of logs with fields that CloudWatch Logs Insights doesn't automatically discover, you
can use the parse command to extract and
create extracted fields for use in that query. For more information, see CloudWatch Logs Insights language query syntax.
If the name of a discovered log field starts with the @ character,
CloudWatch Logs Insights displays it with an additional @ appended to the beginning. For
example, if a log field name is @example.com, this field name is displayed
as @@example.com.
Note
Except for @message, @timestamp, or @log, you can create field indexes for discovered fields.
For more information about field indexes, see Create field indexes to improve query performance and reduce scan volume.
| Log type | Discovered log fields |
|---|---|
|
Amazon VPC flow logs |
|
|
RouteĀ 53 logs |
|
|
Lambda logs |
If a Lambda log line contains an X-Ray trace ID, it also includes the following fields:
CloudWatch Logs Insights automatically discovers log fields in Lambda logs, but only
for the first embedded JSON fragment in each log event. If a Lambda
log event contains multiple JSON fragments, you can parse and
extract the log fields by using the |
|
CloudTrail logs Logs in JSON format |
For more information, see Fields in JSON logs. |
|
Other log types |
|
Fields in JSON logs
With CloudWatch Logs Insights, you use dot notation to represent JSON fields. This section contains an example JSON event and code snippet that show how you can access JSON fields using dot notation.
Example: JSON event
{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn: aws: iam: : 123456789012: user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21: 22: 54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-2", "sourceIPAddress": "192.0.2.255", "userAgent": "ec2-api-tools1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-abcde123" } ] } }, "responseElements": { "instancesSet": { "items": [ { "instanceId": "i-abcde123", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } } ] } } }
The example JSON event contains an object
that's named userIdentity.
userIdentity contains a field
that's named type.
To represent value of type using dot notation,
you use userIdentity.type.
The example JSON event contains arrays
that flatten
to lists
of nested field names and values.
To represent the value of instanceId
for the first item
in requestParameters.instancesSet,
you use requestParameters.instancesSet.items.0.instanceId.
The number 0
that's placed
before the field instanceID
refers to the position
of values
for the field items.
The following example contains a code snippet
that shows how you can access nested JSON fields
in a JSON log event.
Example: Query
fields @timestamp, @message | filter requestParameters.instancesSet.items.0.instanceId="i-abcde123" | sort @timestamp desc
The code snippet shows
a query
that uses dot notation
with the filter command
to access the value
of the nested JSON field instanceId.
The query filters
on messages
where the value
of instanceId equals "i-abcde123"
and returns all
of the log events
that contain the specified value.
Note
CloudWatch Logs Insights can extract a maximum
of 200 log event fields
from a JSON log.
For additional fields
that aren't extracted,
you can use the parse command
to extract the fields
from the raw unparsed log event
in the message field.
For more information about the parse command,
see Query syntax
in the Amazon CloudWatch User Guide.
