For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How can I create a CloudWatch line chart with multiple lines?
I have a CloudWatch log group called app. Events in this have a field called event_type, e.g. event_type: 'oom_restart'. These come from structured logs.
I want a line chart with multiple lines. Each line is for one event, e.g. a line for oom_restart. The x-axis is time, bucketed by e.g. 10 minutes. That line shows the number of oom_restart events in each 10-minute bucket.
The essential query is stats count(*) by event_type, bin(10m). The query should not hard-code the kinds of event. They should be taken from the logs themselves.
When I try to visualize this in CloudWatch logs, all I see is:
I would also accept a "Stacked area" chart, but it says the same thing - "No visualization available".
There's no documentation on the format expected by any of these visualizations. But I have discovered that both "Line" and "Stacked area" will allow multiple timeseries if the result is in the format:
bin(10m) e1 e2 e3 ...
2025-02-05T10:20:00.000Z 502 0 1
2025-02-05T10:10:00.000Z 12 50 1
So what I need is a way to transform from the following format into the above multiple-column format:
bin(10m) event_type count
2025-02-05T10:20:00.000Z e1 502
2025-02-05T10:10:00.000Z e1 12
2025-02-05T10:20:00.000Z e2 0
2025-02-05T10:10:00.000Z e2 50
2025-02-05T10:20:00.000Z e3 1
2025-02-05T10:10:00.000Z e3 1
... but I can't find how to do that transform using CloudWatch query logs.
I also see that CloudWatch supports "OpenSearch PPL" and "OpenSearch SQL" queries. However, neither of these seem to provide a "wide column" output, either.
So: How can I create a CloudWatch line chart with multiple lines, where each line counts the frequency of one event type in the logs?
- Newest
- Most votes
- Most comments
To create a CloudWatch line chart with multiple lines, where each line represents the count of occurrences of a specific event type over time, you can use CloudWatch Logs Insights to query your logs and then visualize the results. Given your requirement to dynamically handle event types without hardcoding them, you'll need to construct a query that extracts unique event types and counts their occurrences over specified time intervals.
You can use CloudWatch Logs Insights to query your log group and group by event_type to get the count of events over time.
fields event_type | stats count() by event_type, bin(10m) would give you I suspect what you expect in the logs insights result pane, but doesn't allow visualization as a line chart, only as a bar chart - the line chart doesn't seem to support multiple lines according to the doc
There is an alternate solution, which involves using CloudWatch external data source queries: you can create a custom lambda that runs the Logs Insights query and returns multiple time series, this function can then be used with any visualization you like in any dashboard, including stacked lines, gauge, etc.
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
Thanks - can you show me a query that would do that? I'm using CloudWatch Logs Insights, but I don't see how to group by event_type using this query language.