Filter logs by a timestamp range with CloudWatch Logs Insights

Let's admit it - no one looks at logs for fun.

Usually when you look at logs, you're looking for something specific. Maybe you're looking for a specific error message, or maybe you're looking for a specific request ID. At times, you're not sure which request failed and you're looking for a specific time range.

Filtering by timestamp in CloudWatch Logs Insights (e.g. 2022-11-12T11:15:31.331+01:00) is not trivial, for instance this won't work:

fields @timestamp, @message
| display @timestamp, millis, @message
| filter @timestamp > '2022-11-12T11:15:31.331+01:00'

To quote AWS docs:

Currently, CloudWatch Logs Insights doesn't support filtering logs with human readable timestamps.

Instead you need to convert the timestamp to milliseconds and then filter by that:

fields @timestamp, @message
| fields tomillis(@timestamp) as millis
| display @timestamp, millis, @message
| filter millis > <timestamp_in_milliseconds>

This query will return all log entries that were created after the specified timestamp.

You may find Epoch Converter useful to convert a human-readable timestamp to an epoch timestamp. For instance: Saturday, 12 November 2022 09:15:41 is 1668244541000 in epoch.