Go to Qiita Advent Calendar 2024 Top
LoginSignup
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@zumax

CloudWatch Insightsのクエリまとめ

Last updated at Posted at 2021-11-30

背景・目的

  • CloudWatchLogs Insightで思ったようにクエリが使えないので学習します。

内容

JSON形式のログを取り扱う

事前準備

  • 以下のログを用意します。

image.png

検証

1. デフォルトのクエリ

  • まずはデフォルトのクエリをそのまま実行する。
fields @timestamp, @message
| sort @timestamp desc
| limit 20
  • 結果
-----------------------------------------------------
|       timestamp        |        message         |
|-------------------------|-------------------------|
| 2021-11-24 14:09:30.882 | {"id":3,"name":"zzzzz"} |
| 2021-11-24 14:09:18.371 | {"id":2,"name":"yyyyy"} |
| 2021-11-24 14:08:58.528 | {"id":1,"name":"xxxxx"} |
-----------------------------------------------------

2.filter

fields @timestamp, @message
| filter @message like /"name":"xxxxx"/
| sort @timestamp desc
| limit 20
  • 結果
-----------------------------------------------------
|       timestamp        |        message         |
|-------------------------|-------------------------|
| 2021-11-24 14:08:58.528 | {"id":1,"name":"xxxxx"} |
-----------------------------------------------------

3.項目追加

  • ingestionTimeを追加します。
  • ingestionTimeは、ログストリームに追加された時間になります。
fields @timestamp, @ingestionTime, @logStream, @message, @log
| sort @timestamp desc
| limit 20
  • 結果
------------------------------------------------------------------------------------------------------------------------------------
|       timestamp        |     ingestionTime      | logStream |        message         |                 log                  |
|-------------------------|-------------------------|------------|-------------------------|---------------------------------------|
| 2021-11-24 14:09:30.882 | 2021-11-24 14:09:31.267 | pattern1   | {"id":3,"name":"zzzzz"} | 012345678901:/cloudwatch/insight/test |
| 2021-11-24 14:09:18.371 | 2021-11-24 14:09:18.895 | pattern1   | {"id":2,"name":"yyyyy"} | 012345678901:/cloudwatch/insight/test |
| 2021-11-24 14:08:58.528 | 2021-11-24 14:09:02.269 | pattern1   | {"id":1,"name":"xxxxx"} | 012345678901:/cloudwatch/insight/test |
------------------------------------------------------------------------------------------------------------------------------------

4.Parse

成功版

fields @timestamp, @ingestionTime, @logStream, @message, @log
| parse @message  "\"id\":*," as id
| sort @timestamp desc
| limit 20
  • 結果
-----------------------------------------------------------------------------------------------------------------------------------------
|       @timestamp        |     @ingestionTime      | @logStream |        @message         |                 @log                  | id |
|-------------------------|-------------------------|------------|-------------------------|---------------------------------------|----|
| 2021-11-24 14:09:30.882 | 2021-11-24 14:09:31.267 | pattern1   | {"id":3,"name":"zzzzz"} | 012345678901:/cloudwatch/insight/test | 3  |
| 2021-11-24 14:09:18.371 | 2021-11-24 14:09:18.895 | pattern1   | {"id":2,"name":"yyyyy"} | 012345678901:/cloudwatch/insight/test | 2  |
| 2021-11-24 14:08:58.528 | 2021-11-24 14:09:02.269 | pattern1   | {"id":1,"name":"xxxxx"} | 012345678901:/cloudwatch/insight/test | 1  |
-----------------------------------------------------------------------------------------------------------------------------------------

試行錯誤

  • JSONメッセージの中の抽出がうまくできない。
  • JSONフィールドの区切り文字まで含めないと切り出せない。
fields @timestamp, @ingestionTime, @logStream, @message, @log
| parse @message  "\"name\":*" as name
| sort @timestamp desc
| limit 20
  • 結果
-----------------------------------------------------------------------------------------------------------------------------------------------
|       @timestamp        |     @ingestionTime      | @logStream |        @message         |                 @log                  |   name   |
|-------------------------|-------------------------|------------|-------------------------|---------------------------------------|----------|
| 2021-11-24 14:09:30.882 | 2021-11-24 14:09:31.267 | pattern1   | {"id":3,"name":"zzzzz"} | 012345678901:/cloudwatch/insight/test | "zzzzz"} |
| 2021-11-24 14:09:18.371 | 2021-11-24 14:09:18.895 | pattern1   | {"id":2,"name":"yyyyy"} | 012345678901:/cloudwatch/insight/test | "yyyyy"} |
| 2021-11-24 14:08:58.528 | 2021-11-24 14:09:02.269 | pattern1   | {"id":1,"name":"xxxxx"} | 012345678901:/cloudwatch/insight/test | "xxxxx"} |
-----------------------------------------------------------------------------------------------------------------------------------------------
  • 上記と同様に、JSONフィールドの区切り文字まで含めないと切り出せない。
fields @timestamp, @ingestionTime, @logStream, @message, @log
| parse @message  "\"id\":*" as id
| sort @timestamp desc
| limit 20
  • 結果
--------------------------------------------------------------------------------------------------------------------------------------------------------
|       @timestamp        |     @ingestionTime      | @logStream |        @message         |                 @log                  |        id         |
|-------------------------|-------------------------|------------|-------------------------|---------------------------------------|-------------------|
| 2021-11-24 14:09:30.882 | 2021-11-24 14:09:31.267 | pattern1   | {"id":3,"name":"zzzzz"} | 012345678901:/cloudwatch/insight/test | 3,"name":"zzzzz"} |
| 2021-11-24 14:09:18.371 | 2021-11-24 14:09:18.895 | pattern1   | {"id":2,"name":"yyyyy"} | 012345678901:/cloudwatch/insight/test | 2,"name":"yyyyy"} |
| 2021-11-24 14:08:58.528 | 2021-11-24 14:09:02.269 | pattern1   | {"id":1,"name":"xxxxx"} | 012345678901:/cloudwatch/insight/test | 1,"name":"xxxxx"} |
--------------------------------------------------------------------------------------------------------------------------------------------------------

fields @timestamp, @ingestionTime, @logStream, @message, @log
| parse @message  "id" as id
| sort @timestamp desc
| limit 20
  • 結果
----------------------------------------------------------------------------------------------------------------------------------------------------------
|       @timestamp        |     @ingestionTime      | @logStream |        @message         |                 @log                  |         id          |
|-------------------------|-------------------------|------------|-------------------------|---------------------------------------|---------------------|
| 2021-11-24 14:09:30.882 | 2021-11-24 14:09:31.267 | pattern1   | {"id":3,"name":"zzzzz"} | 012345678901:/cloudwatch/insight/test | ":3,"name":"zzzzz"} |
| 2021-11-24 14:09:18.371 | 2021-11-24 14:09:18.895 | pattern1   | {"id":2,"name":"yyyyy"} | 012345678901:/cloudwatch/insight/test | ":2,"name":"yyyyy"} |
| 2021-11-24 14:08:58.528 | 2021-11-24 14:09:02.269 | pattern1   | {"id":1,"name":"xxxxx"} | 012345678901:/cloudwatch/insight/test | ":1,"name":"xxxxx"} |
----------------------------------------------------------------------------------------------------------------------------------------------------------

5.stats

count

  • IDごとのカウントをとる。
fields @timestamp, @ingestionTime, @logStream, @message, @log
| parse @message  "\"id\":*," as parsed_id
| stats count(*) by parsed_id
| sort @parsed_id asc
| limit 20
  • 結果
------------------------
| parsed_id | count(*) |
|-----------|----------|
| 3         | 1        |
| 2         | 1        |
| 1         | 1        |
------------------------

考察

  • もっとJSONの抽出方法を調べる必要がある。

結論

参考

サポートされるログと検出されるフィールド

2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?