Match case-insensitive patterns when using CloudWatch Logs Insights

👋

I found myself Googling (or rather - ChatGPTing) this one too many times so I decided to write it down.

If you're looking for errors in your CloudWatch Logs you can use CloudWatch Logs Insights to query your logs. One of the most commonly used commands is filter which allows you to filter your logs that match one or more conditions, here's an example:

fields @timestamp, @message
| filter (range>3000 and accountId=123456789012)
| sort @timestamp desc
| limit 20

To be honest I rarely find myself using filter like this, but I often use it to filter logs that match a specific pattern, for example:

fields @timestamp, @message, @logStream, @log
| filter @message like /error/

Note the like keyword here - this is a signal for CloudWatch Logs Insights to treat the pattern as a regular expression. (You can use =~ instead of like if you want, e.g. filter @message =~ /error/ but I personally find it more confusing to read).

There is one problem with this query, suppose that our error log entry looks like this:

console.log({
  message: "Error: cannot create user",
  timestamp: new Date().toUTCString(),
  requestId: faker.random.uuid(),
  userId: faker.random.uuid(),
});

(Obviously don't use faker.random.uuid() in prod, this is just an example).

If we type filter @message like /error/ we won't get any results because the pattern is case-sensitive. To make it case-insensitive we need to add (?i) to the beginning of the pattern, like this:

fields @timestamp, @message, @logStream, @log
| filter @message like /(?i)error/

This will match error, Error, ERROR or even eRroR and we'll get the results we're looking for.

Additional tip:

One more thing - if you want to filter all logs that are not errors (e.g. if you don't want to ruin your weekend), you can use not like syntax, like this:

fields @timestamp, @message, @logStream, @log
| filter @message not like /(?i)error/