Skip to content

Instantly share code, notes, and snippets.

@dsmrt

dsmrt/query-aws-logs-insights.bash

Last active December 14, 2023 11:27
Show Gist options
  • Star 31 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save dsmrt/7400867c88e599e8bfc0266a61073f29 to your computer and use it in GitHub Desktop.
Save dsmrt/7400867c88e599e8bfc0266a61073f29 to your computer and use it in GitHub Desktop.
Download ZIP
Using AWS CLI to query CloudWatch Logs with Insights. Looking -30 mins to now.
Raw
query-aws-logs-insights.bash
# this script queries aws logs with insights filtering on ERROR
# explanation of start and end times
#--start-time = unix timestamp 30 mins in the past
#--end-time = unix timestamp now
QUERY_ID=$(aws logs start-query \
--profile $profile \
--log-group-name /aws/lambda/aap-event-consumer-dev \
--start-time `date -v-30M "+%s"` \
--end-time `date "+%s"` \
--query-string 'fields @message filter @message like /ERROR/' \
| jq -r '.queryId')
echo "Query started (query id: $QUERY_ID), please hold ..." && sleep 5 # give it some time to query
aws --profile $profile logs get-query-results --query-id $QUERY_ID
@dsmrt
Copy link
Author

dsmrt commented Feb 13, 2019

This will return a query id. Use that to pull the actually logs like so:

 aws --profile clientProfile logs get-query-results --query-id <query-id>

@dsmrt
Copy link
Author

dsmrt commented Feb 13, 2019

Example of querying error level:

aws logs start-query \
 --profile clientProfile \
 --log-group-name MY-LOG_GROUP \
 --start-time `date -v-30M "+%s"` \
 --end-time `date "+%s"` \
 --query-string 'fields @message | filter @message like /\[error\]/'

@nari1021
Copy link

nari1021 commented Jun 22, 2022
edited

@dsmrt

aws logs start-query \
 --profile clientProfile \
 --log-group-name MY-LOG_GROUP \
 --start-time `date -d -30minutes +%s` \
 --end-time `date +%s` \
 --query-string 'fields @message | filter @message like /\[error\]/'

@HieronyM
Copy link

HieronyM commented Oct 26, 2022
edited

Got this error when try the script

aws: error: argument --start-time: invalid int value: 'date -v-30M "+%s"'

I'm using this awscli version aws-cli/2.0.26 Python/3.7.3 Linux/4.14.181-140.257.amzn2.x86_64 botocore/2.0.0dev30

@dsmrt
Copy link
Author

dsmrt commented Oct 26, 2022

👋 @HieronyM This works my Mac: date -d -30minutes +%s . I believe it's bsd version of date. You may want to verify that works. If not, use another way to convert the last 30 mins into a unix timestamp.

@dsmrt
Copy link
Author

dsmrt commented Oct 26, 2022

I updated the gist to start and get query.

@HieronyM
Copy link

HieronyM commented Oct 27, 2022
edited

Thanks @dsmrt ,

it works now, I think I have some typos previously.
Btw I'm wondering, did you ever try to export the query result to S3?

@samirkape
Copy link

jq can be replaced with jmespath query

--query queryId

QUERY_ID=$(aws logs start-query \
 --profile $profile \
 --log-group-name /aws/lambda/aap-event-consumer-dev \
 --start-time `date -v-30M "+%s"` \
 --end-time `date "+%s"` \
 --query-string 'fields @message filter @message like /ERROR/' --query queryId

@samirkape
Copy link

Also, I had to change query-string

from

'fields @message filter @message like /ERROR/'

to

'fields @message | filter level like "error"'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment