本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 範例查詢
本節列出您可以在[CloudWatch 主控台](https://console.aws.amazon.com/cloudwatch/)執行的通用且有效的查詢命令。如需如何執行查詢命令的資訊,請參閱*《Amazon CloudWatch Logs 使用者指南》*中的[教學:執行和修改範例查詢](https://docs.aws.amazon.com/en_us/AmazonCloudWatch/latest/logs/CWL_AnalyzeLogData_RunSampleQuery.html)。
如需查詢語法的詳細資訊,請參閱 [CloudWatch Logs Insights 語言查詢語法](CWL_QuerySyntax.md)。
**Topics**
+ [一般查詢](#CWL_QuerySyntax-examples-general)
+ [Lambda 日誌的查詢](#CWL_QuerySyntax-examples-Lambda)
+ [Amazon VPC 流程日誌的查詢](#CWL_QuerySyntax-examples-VPC)
+ [Route 53 日誌的查詢](#CWL_QuerySyntax-examples-Route53)
+ [CloudTrail 日誌的查詢](#CWL_QuerySyntax-examples-CloudTrail)
+ [的查詢 Amazon API Gateway](#CWL_QuerySyntax-examples-APIGateway)
+ [NAT 閘道的查詢](#CWL_QuerySyntax-examples-NATGateway)
+ [Apache 伺服器日誌的查詢](#CWL_QuerySyntax-examples-Apache)
+ [Amazon EventBridge 的查詢](#CWL_QuerySyntax-examples-EventBridge)
+ [剖析命令的範例](#CWL_QuerySyntax-examples-parse)
## 一般查詢
**尋找最近新增的 25 個日誌事件。**
```
fields @timestamp, @message | sort @timestamp desc | limit 25
```
**取得每小時的例外狀況數清單。**
```
filter @message like /Exception/
| stats count(*) as exceptionCount by bin(1h)
| sort exceptionCount desc
```
**取得非例外狀況的日誌事件清單。**
```
fields @message | filter @message not like /Exception/
```
**取得 `server` 欄位的每個唯一值的最近日誌事件。**
```
fields @timestamp, server, severity, message
| sort @timestamp asc
| dedup server
```
**取得每個 `severity` 類型的 `server` 欄位的每個唯一值的最近日誌事件。**
```
fields @timestamp, server, severity, message
| sort @timestamp desc
| dedup server, severity
```
## Lambda 日誌的查詢
**查明過度佈建的記憶體數量。**
```
filter @type = "REPORT"
| stats max(@memorySize / 1000 / 1000) as provisonedMemoryMB,
min(@maxMemoryUsed / 1000 / 1000) as smallestMemoryRequestMB,
avg(@maxMemoryUsed / 1000 / 1000) as avgMemoryUsedMB,
max(@maxMemoryUsed / 1000 / 1000) as maxMemoryUsedMB,
provisonedMemoryMB - maxMemoryUsedMB as overProvisionedMB
```
**建立延遲報告。**
```
filter @type = "REPORT" |
stats avg(@duration), max(@duration), min(@duration) by bin(5m)
```
**搜尋緩慢的函數調用,並消除重試或用戶端程式碼可能產生的重複請求。在此查詢中,`@duration` 以毫秒為單位。**
```
fields @timestamp, @requestId, @message, @logStream
| filter @type = "REPORT" and @duration > 1000
| sort @timestamp desc
| dedup @requestId
| limit 20
```
## Amazon VPC 流程日誌的查詢
**尋找主機之間的前 15 個封包傳輸:**
```
stats sum(packets) as packetsTransferred by srcAddr, dstAddr
| sort packetsTransferred desc
| limit 15
```
**尋找特定子網路上主機的前 15 個位元組傳輸。**
```
filter isIpv4InSubnet(srcAddr, "192.0.2.0/24")
| stats sum(bytes) as bytesTransferred by dstAddr
| sort bytesTransferred desc
| limit 15
```
**尋找使用 UDP 做為資料傳輸協定的 IP 地址。**
```
filter protocol=17 | stats count(*) by srcAddr
```
**尋找在擷取時段略過流程記錄的 IP 地址。**
```
filter logStatus="SKIPDATA"
| stats count(*) by bin(1h) as t
| sort t
```
**尋找每個連線的單一記錄,以協助疑難排解網路連線問題。**
```
fields @timestamp, srcAddr, dstAddr, srcPort, dstPort, protocol, bytes
| filter logStream = 'vpc-flow-logs' and interfaceId = 'eni-0123456789abcdef0'
| sort @timestamp desc
| dedup srcAddr, dstAddr, srcPort, dstPort, protocol
| limit 20
```
## Route 53 日誌的查詢
**依查詢類型尋找每小時的記錄分佈。**
```
stats count(*) by queryType, bin(1h)
```
**尋找請求數最高的前 10 個 DNS 解析程式。**
```
stats count(*) as numRequests by resolverIp
| sort numRequests desc
| limit 10
```
**依網域和子網域尋找伺服器無法完成 DNS 請求的記錄數。**
```
filter responseCode="SERVFAIL" | stats count(*) by queryName
```
## CloudTrail 日誌的查詢
**尋找每個服務、事件類型和 AWS 區域的日誌項目數量。**
```
stats count(*) by eventSource, eventName, awsRegion
```
**尋找在指定 AWS 區域中啟動或停止的 Amazon EC2 主機。**
```
filter (eventName="StartInstances" or eventName="StopInstances") and awsRegion="us-east-2"
```
**尋找新建立的 IAM 使用者 AWS 的區域、使用者名稱和 ARNs。**
```
filter eventName="CreateUser"
| fields awsRegion, requestParameters.userName, responseElements.user.arn
```
**尋找叫用 API `UpdateTrail` 時發生例外狀況的記錄數。**
```
filter eventName="UpdateTrail" and ispresent(errorCode)
| stats count(*) by errorCode, errorMessage
```
**尋找使用 TLS 1.0 或 1.1 的日誌條目**
```
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ]
| stats count(*) as numOutdatedTlsCalls by userIdentity.accountId, recipientAccountId, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent
| sort eventSource, eventName, awsRegion, tlsDetails.tlsVersion
```
**尋找使用 TLS 1.0 或 1.1 版本之每項服務的呼叫次數**
```
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ]
| stats count(*) as numOutdatedTlsCalls by eventSource
| sort numOutdatedTlsCalls desc
```
## 的查詢 Amazon API Gateway
找出最後 10 個 4XX 錯誤
```
fields @timestamp, status, ip, path, httpMethod
| filter status>=400 and status<=499
| sort @timestamp desc
| limit 10
```
識別 Amazon API Gateway 存取日誌群組中執行時間最長的 10 個 Amazon API Gateway 請求
```
fields @timestamp, status, ip, path, httpMethod, responseLatency
| sort responseLatency desc
| limit 10
```
傳回 Amazon API Gateway 存取日誌群組中最常用的 API 路徑清單
```
stats count(*) as requestCount by path
| sort requestCount desc
| limit 10
```
為您的 Amazon API Gateway 存取日誌群組建立整合延遲報告
```
filter status=200
| stats avg(integrationLatency), max(integrationLatency),
min(integrationLatency) by bin(1m)
```
## NAT 閘道的查詢
如果您在 AWS 帳單中發現高於正常成本,您可以使用 CloudWatch Logs Insights 來尋找主要參與者。如需下列查詢命令的詳細資訊,請參閱 AWS 進階支援頁面中的[如何透過 VPC 中的 NAT 閘道尋找流量的主要參與者?](https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/)。
**注意**
在以下查詢命令中,將 "x.x.x.x" 取代為 NAT 閘道的私有 IP,並將 "y.y" 替換為 VPC CIDR 範圍的前兩個八位元組。
**查看透過 NAT 閘道傳送最多流量的執行個體。**
```
filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
**確定進出 NAT 閘道中執行個體的流量。**
```
filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') or (srcAddr like 'xxx.xx.xx.xx' and dstAddr like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
**確定 VPC 中的執行個體在上傳和下載時,最經常與之通訊的網際網路目的地。**
*****對於上傳*****
```
filter (srcAddr like 'x.x.x.x' and dstAddr not like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
*****對於下載*****
```
filter (dstAddr like 'x.x.x.x' and srcAddr not like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
## Apache 伺服器日誌的查詢
您可以使用 CloudWatch Logs Insights 來查詢 Apache 伺服器日誌。如需下列查詢的詳細資訊,請參閱 AWS Cloud Operations & Migrations 部落格中的[使用 CloudWatch Logs Insights 簡化 Apache 伺服器日誌](https://aws.amazon.com/blogs/mt/simplifying-apache-server-logs-with-amazon-cloudwatch-logs-insights/)。
**查看最相關的欄位,以在應用程式的 */admin* 路徑中檢閱存取日誌並檢查流量。**
```
fields @timestamp, remoteIP, request, status, filename| sort @timestamp desc
| filter filename="/var/www/html/admin"
| limit 20
```
**查找以狀態碼 "200" (成功) 存取主頁面的不重複 GET 請求次數。**
```
fields @timestamp, remoteIP, method, status
| filter status="200" and referrer= http://34.250.27.141/ and method= "GET"
| stats count_distinct(remoteIP) as UniqueVisits
| limit 10
```
**查找 Apache 服務重新啟動的次數。**
```
fields @timestamp, function, process, message
| filter message like "resuming normal operations"
| sort @timestamp desc
| limit 20
```
## Amazon EventBridge 的查詢
取得按事件詳細資訊類型分組的 EventBridge 事件數
```
fields @timestamp, @message
| stats count(*) as numberOfEvents by `detail-type`
| sort numberOfEvents desc
```
## 剖析命令的範例
**使用 glob 運算式,從日誌欄位 `@message` 中擷取欄位 `@user`、`@method` 和 `@latency`,並傳回 `@method` 和 `@user` 各種不重複組合的平均延遲。**
```
parse @message "user=*, method:*, latency := *" as @user,
@method, @latency | stats avg(@latency) by @method,
@user
```
**使用規則運算式,從日誌欄位 `@message` 中擷取欄位 `@user2`、`@method2` 和 `@latency2`,並傳回 `@method2` 和 `@user2` 各種不重複組合的平均延遲。**
```
parse @message /user=(?.*?), method:(?.*?),
latency := (?.*?)/ | stats avg(latency2) by @method2,
@user2
```
**擷取欄位 `loggingTime`、`loggingType` 和 `loggingMessage`,並篩選包含 `ERROR` 或 `INFO` 字串的日誌事件,然後針對包含 `ERROR` 字串的事件,僅顯示 `loggingMessage` 和 `loggingType` 欄位。**
```
FIELDS @message
| PARSE @message "* [*] *" as loggingTime, loggingType, loggingMessage
| FILTER loggingType IN ["ERROR", "INFO"]
| DISPLAY loggingMessage, loggingType = "ERROR" as isError
```