AWS: Get CloudWatch Logs by Query
AWS
Availability
This workflow action is available on our Business and Enterprise for Incident Management pricing plans. Please contact our Sales Team to upgrade to an account with this action.
Description
Retrieve AWS CloudWatch logs by running a CloudWatch Logs Insights query. This action allows you to search and analyze log data from one or more log groups using the CloudWatch Logs Insights query syntax. This action is useful for:
- Investigating errors or exceptions during an incident by searching application logs
- Retrieving recent deployment logs to identify potential issues
- Analyzing API request logs to identify patterns or problematic requests
- Gathering diagnostic information from multiple log groups in a single query
- Creating automated runbooks that pull relevant log data based on incident characteristics
Instructions
- If you have not done so already, please follow our instructions to Create an Incident Workflow.
- When the instructions prompt you to add actions , select this action.
- Enter the following Inputs and then click Save. Continue following instructions to Publish the Workflow. When the action runs, you will see the Outputs listed below.
Inputs
Field References
Fields with the {+} icon accept Field References, which can be useful for referencing incident data or outputs created in prior workflow steps. To add Field References, click {+}, or enter
{{, and select relevant fields. Please see our Field References article for more information.
| Name | Description |
|---|---|
| Integration | Select a Workflow Integration or click New AWS Connection to establish a new one. |
| Search Query | Enter the CloudWatch Logs Insights query to run. For example: fields @timestamp, @message |
| Region | The AWS region where your log groups are located. If left blank, the action uses us-east-1 as the default. |
| Log Group Names | Enter the names of the log groups to query, separated by commas. For example: /aws/lambda/my-function,/aws/lambda/another-function. |
| Start Time | Enter the start time for the query in ISO 8601 format. For example: 2023-01-01T00:00:00Z. |
| End Time | Enter the end time for the query in ISO 8601 format. For example: 2023-01-01T01:00:00Z. |
| Function name | Enter the name of the Lambda function to invoke. |
| Human Readable Logs | If true, the JSON output will be pretty printed for easier reading. |
| Result Limit | Enter the maximum number of log events to return. Default is 100, maximum is 1000. |
Outputs
| Name | Description |
|---|---|
| Logs | Raw JSON of the logs returned from the query. Reference this field in a subsequent action, such as Slack: Send a Channel Notification or Add a Note to the Incident. |
| Log Count | The number of log events returned from the query. |
| Log Groups Count | The number of log groups that were queried. |
| Query Used | The query string that was used to fetch the logs. |
| Time Range Start | The start time used for the query. |
| Time Range End | The end time used for the query. |
| Query ID | The ID of the query job in AWS CloudWatch. |
| Search Status | The status of the query job (e.g., Complete, Running, Failed). |
| Has More Results | Indicates if there are more results available beyond the result limit. Returns true or false. |
| Next Token | Token to use to fetch the next set of results if there are more results available. A null response means that Has More Results is false or you didn't include @timestamp in your CloudWatch query. Note: You may miss some results if logs are being ingested rapidly. |
| Search Duration | The duration of the query in milliseconds (rounded to the nearest second). |
| Result | Value that shows if the action was successful or not. Either "Success" or "Failed." |
| Result Summary | Brief description of what the action did or if it failed. |
| Error | Brief description that is populated if the action failed. |
Tips
- Query Syntax: CloudWatch Logs Insights uses a specific query syntax. Use the
fields,filter,sort, andstatscommands to refine your search. See AWS Documentation for details.- Time Ranges: For recent incidents, consider using Field References to dynamically set the start time based on the incident's creation time.
- Result Limits: If your query returns more results than the limit, use the Next Token output to fetch additional results in a subsequent workflow step.
- Include @timestamp: To enable pagination with Next Token, ensure your query includes the
@timestampfield using fields@timestampor fields@timestamp, @message.- Testing Queries: Test your CloudWatch Logs Insights queries in the AWS Console before adding them to your workflow to ensure they return the expected results.
Updated about 12 hours ago
Learn More