Match case-insensitive patterns when using CloudWatch Logs Insights
- Authors
- Name
- Tomasz Łakomy
- @tlakomy
👋
I found myself Googling (or rather - ChatGPTing) this one too many times so I decided to write it down.
If you're looking for errors in your CloudWatch Logs you can use CloudWatch Logs Insights to query your logs. One of the most commonly used commands is filter
which allows you to filter your logs that match one or more conditions, here's an example:
fields @timestamp, @message
| filter (range>3000 and accountId=123456789012)
| sort @timestamp desc
| limit 20
To be honest I rarely find myself using filter like this, but I often use it to filter logs that match a specific pattern, for example:
fields @timestamp, @message, @logStream, @log
| filter @message like /error/
Note the like
keyword here - this is a signal for CloudWatch Logs Insights to treat the pattern as a regular expression. (You can use =~
instead of like
if you want, e.g. filter @message =~ /error/
but I personally find it more confusing to read).
There is one problem with this query, suppose that our error log entry looks like this:
console.log({
message: "Error: cannot create user",
timestamp: new Date().toUTCString(),
requestId: faker.random.uuid(),
userId: faker.random.uuid(),
});
(Obviously don't use faker.random.uuid()
in prod, this is just an example).
If we type filter @message like /error/
we won't get any results because the pattern is case-sensitive. To make it case-insensitive we need to add (?i)
to the beginning of the pattern, like this:
fields @timestamp, @message, @logStream, @log
| filter @message like /(?i)error/
This will match error
, Error
, ERROR
or even eRroR
and we'll get the results we're looking for.
Additional tip:
One more thing - if you want to filter all logs that are not errors (e.g. if you don't want to ruin your weekend), you can use not like
syntax, like this:
fields @timestamp, @message, @logStream, @log
| filter @message not like /(?i)error/
Tired of switching between AWS console tabs? 😒
Cloudash provides clear access to CloudWatch logs and metrics, to help you make quicker decisions.
Try it for free: