本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
範例查詢
本節包含一般和有用的查詢命令清單,您可以在CloudWatch 主控台
如需查詢語法的詳細資訊,請參閱 CloudWatch Logs Insights 查詢語法。
主題
一般查詢
尋找最近新增的 25 個日誌事件。
fields @timestamp, @message | sort @timestamp desc | limit 25
取得每小時的例外狀況數清單。
filter @message like /Exception/ | stats count(*) as exceptionCount by bin(1h) | sort exceptionCount desc
取得非例外狀況的日誌事件清單。
fields @message | filter @message not like /Exception/
取得 server 欄位的每個唯一值的最近日誌事件。
fields @timestamp, server, severity, message | sort @timestamp asc | dedup server
取得每個 severity 類型的 server 欄位的每個唯一值的最近日誌事件。
fields @timestamp, server, severity, message | sort @timestamp desc | dedup server, severity
Lambda 日誌的查詢
查明過度佈建的記憶體數量。
filter @type = "REPORT" | stats max(@memorySize / 1000 / 1000) as provisonedMemoryMB, min(@maxMemoryUsed / 1000 / 1000) as smallestMemoryRequestMB, avg(@maxMemoryUsed / 1000 / 1000) as avgMemoryUsedMB, max(@maxMemoryUsed / 1000 / 1000) as maxMemoryUsedMB, provisonedMemoryMB - maxMemoryUsedMB as overProvisionedMB
建立延遲報告。
filter @type = "REPORT" | stats avg(@duration), max(@duration), min(@duration) by bin(5m)
搜尋緩慢的函數調用,並消除重試或用戶端程式碼可能產生的重複請求。在此查詢中,@duration 以毫秒為單位。
fields @timestamp, @requestId, @message, @logStream | filter @type = "REPORT" and @duration > 1000 | sort @timestamp desc | dedup @requestId | limit 20
Amazon VPC流程日誌的查詢
尋找主機之間的前 15 個封包傳輸:
stats sum(packets) as packetsTransferred by srcAddr, dstAddr | sort packetsTransferred desc | limit 15
尋找特定子網路上主機的前 15 個位元組傳輸。
filter isIpv4InSubnet(srcAddr, "192.0.2.0/24") | stats sum(bytes) as bytesTransferred by dstAddr | sort bytesTransferred desc | limit 15
尋找UDP用作資料傳輸通訊協定的 IP 地址。
filter protocol=17 | stats count(*) by srcAddr
尋找在擷取時段略過流程記錄的 IP 地址。
filter logStatus="SKIPDATA" | stats count(*) by bin(1h) as t | sort t
尋找每個連線的單一記錄,以協助疑難排解網路連線問題。
fields @timestamp, srcAddr, dstAddr, srcPort, dstPort, protocol, bytes | filter logStream = 'vpc-flow-logs' and interfaceId = 'eni-0123456789abcdef0' | sort @timestamp desc | dedup srcAddr, dstAddr, srcPort, dstPort, protocol | limit 20
Route 53 日誌的查詢
依查詢類型尋找每小時的記錄分佈。
stats count(*) by queryType, bin(1h)
尋找請求數量最高的 10 個DNS解析器。
stats count(*) as numRequests by resolverIp | sort numRequests desc | limit 10
依網域和子網域尋找伺服器無法完成DNS請求的記錄數目。
filter responseCode="SERVFAIL" | stats count(*) by queryName
CloudTrail 日誌的查詢
尋找每個服務、事件類型和 AWS 區域的日誌項目數。
stats count(*) by eventSource, eventName, awsRegion
尋找在特定 AWS 區域中啟動或停止的 Amazon EC2 主機。
filter (eventName="StartInstances" or eventName="StopInstances") and awsRegion="us-east-2"
尋找 AWS 區域、使用者名稱和ARNs新建立IAM的使用者。
filter eventName="CreateUser" | fields awsRegion, requestParameters.userName, responseElements.user.arn
尋找叫用 API 時發生例外狀況的記錄數目UpdateTrail。
filter eventName="UpdateTrail" and ispresent(errorCode) | stats count(*) by errorCode, errorMessage
尋找使用 TLS 1.0 或 1.1 的日誌項目
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ] | stats count(*) as numOutdatedTlsCalls by userIdentity.accountId, recipientAccountId, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent | sort eventSource, eventName, awsRegion, tlsDetails.tlsVersion
尋找每個服務使用 1.0 或 1.1 TLS版的呼叫數量
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ] | stats count(*) as numOutdatedTlsCalls by eventSource | sort numOutdatedTlsCalls desc
的查詢 Amazon API Gateway
找出最後 10 個 4XX 錯誤
fields @timestamp, status, ip, path, httpMethod | filter status>=400 and status<=499 | sort @timestamp desc | limit 10
識別 Amazon API Gateway 存取日誌群組中執行時間最長的 10 個 Amazon API Gateway 請求
fields @timestamp, status, ip, path, httpMethod, responseLatency | sort responseLatency desc | limit 10
傳回 Amazon API Gateway 存取日誌群組中最熱門API路徑的清單
stats count(*) as requestCount by path | sort requestCount desc | limit 10
為您的 Amazon API Gateway 存取日誌群組建立整合延遲報告
filter status=200 | stats avg(integrationLatency), max(integrationLatency), min(integrationLatency) by bin(1m)
NAT 閘道的查詢
如果您注意到 AWS 帳單費用高於正常成本,您可以使用 CloudWatch Logs Insights 來尋找主要貢獻者。如需下列查詢命令的詳細資訊,請參閱 AWS 進階支援頁面中的如何透過 VPC? 中的NAT閘道尋找流量的主要貢獻者
注意
在下列查詢命令中,將 "x.x.x.x" 取代為NAT閘道的私有 IP,並將 "y.y" 取代為 VPC CIDR 範圍的前兩個八位元組。
尋找透過NAT閘道傳送最多流量的執行個體。
filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | sort bytesTransferred desc | limit 10
判斷要往返NAT閘道中執行個體的流量。
filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') or (srcAddr like 'xxx.xx.xx.xx' and dstAddr like 'y.y.') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | sort bytesTransferred desc | limit 10
判斷 中執行個體最常與之VPC通訊的網際網路目的地,以進行上傳和下載。
對於上傳
filter (srcAddr like 'x.x.x.x' and dstAddr not like 'y.y.') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | sort bytesTransferred desc | limit 10
對於下載
filter (dstAddr like 'x.x.x.x' and srcAddr not like 'y.y.') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | sort bytesTransferred desc | limit 10
Apache 伺服器日誌的查詢
您可以使用 CloudWatch Logs Insights 來查詢 Apache 伺服器日誌。如需下列查詢的詳細資訊,請參閱 AWS Cloud Operations & Migrations 部落格中的使用 CloudWatch Logs Insights 簡化 Apache 伺服器日誌
查看最相關的欄位,以在應用程式的 /admin 路徑中檢閱存取日誌並檢查流量。
fields @timestamp, remoteIP, request, status, filename| sort @timestamp desc | filter filename="/var/www/html/admin" | limit 20
尋找存取狀態碼為 "200" (成功) 之主頁面的唯一GET請求數目。
fields @timestamp, remoteIP, method, status | filter status="200" and referrer= http://34.250.27.141/ and method= "GET" | stats count_distinct(remoteIP) as UniqueVisits | limit 10
查找 Apache 服務重新啟動的次數。
fields @timestamp, function, process, message | filter message like "resuming normal operations" | sort @timestamp desc | limit 20
Amazon 的查詢 EventBridge
取得依 EventBridge 事件詳細資訊類型分組的事件數量
fields @timestamp, @message | stats count(*) as numberOfEvents by `detail-type` | sort numberOfEvents desc
剖析命令的範例
使用 glob 運算式,從日誌欄位 @message 中擷取欄位 @user、@method 和 @latency,並傳回 @method 和 @user 各種不重複組合的平均延遲。
parse @message "user=*, method:*, latency := *" as @user, @method, @latency | stats avg(@latency) by @method, @user
使用規則運算式,從日誌欄位 @message 中擷取欄位 @user2、@method2 和 @latency2,並傳回 @method2 和 @user2 各種不重複組合的平均延遲。
parse @message /user=(?<user2>.*?), method:(?<method2>.*?), latency := (?<latency2>.*?)/ | stats avg(latency2) by @method2, @user2
擷取欄位 loggingTime、loggingType 和 loggingMessage,並篩選包含 ERROR 或 INFO 字串的日誌事件,然後針對包含 ERROR 字串的事件,僅顯示 loggingMessage 和 loggingType 欄位。
FIELDS @message | PARSE @message "* [*] *" as loggingTime, loggingType, loggingMessage | FILTER loggingType IN ["ERROR", "INFO"] | DISPLAY loggingMessage, loggingType = "ERROR" as isError
