Filter logs by a timestamp range with CloudWatch Logs Insights
- Tomasz Łakomy
Let's admit it - no one looks at logs for fun.
Usually when you look at logs, you're looking for something specific. Maybe you're looking for a specific error message, or maybe you're looking for a specific request ID. At times, you're not sure which request failed and you're looking for a specific time range.
Filtering by timestamp in CloudWatch Logs Insights (e.g.
2022-11-12T11:15:31.331+01:00) is not trivial, for instance this won't work:
fields @timestamp, @message | display @timestamp, millis, @message | filter @timestamp > '2022-11-12T11:15:31.331+01:00'
To quote AWS docs:
Currently, CloudWatch Logs Insights doesn't support filtering logs with human readable timestamps.
Instead you need to convert the timestamp to milliseconds and then filter by that:
fields @timestamp, @message | fields tomillis(@timestamp) as millis | display @timestamp, millis, @message | filter millis > <timestamp_in_milliseconds>
This query will return all log entries that were created after the specified timestamp.
You may find Epoch Converter useful to convert a human-readable timestamp to an epoch timestamp. For instance:
Saturday, 12 November 2022 09:15:41 is
1668244541000 in epoch.