Cloudwatch Logs Insights scans the whole LogGroup, even when filtered to a specific LogStream

0

I am using Cloudwatch Logs Insights in this manner:

     fields @timestamp, @message, @logStream, @log
     | filter @logStream='xxxxxxxx'
     | filter field1="yyyyyyy"
     | sort @timestamp desc
     | limit 20

When I run this query, I expect only the logStream='xxxxxxxx' to be scanned. However, CloudWatch Insights scans the entire logGroup. This makes every query very very expensive.

Is there a way to limit the data scanned to only a specific logStream?

vmit
已提问 4 个月前392 查看次数
2 回答
1

Based on your question, you are trying to restrict the way the Logs Insights query data and you want to query only specific log stream. CloudWatch Logs Insights primarily allows you to query and analyze data at Log Group level. In another words, it operates on log groups rather than individual log streams.

If you want to analyze data from specific log stream, I highly suggest you to export your logs (and log streams) to Amazon S3 and query data using Athena.

See this: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.html#S3PermissionsConsole and https://aws.amazon.com/blogs/aws/amazon-athena-interactive-sql-queries-for-data-in-amazon-s3/

If you find this useful, please accepted the answer.

Regards

AWS
Takeda
已回答 4 个月前
1

At present, the factors that govern CloudWatch Logs Insights scan size are:

  1. Log Group selection
  2. Time range selection

Filtering is done post-scan, so the filter by log group criteria does not limit the scanned volume. Your options for reducing Logs Insights scan volume within CloudWatch are to either 1/ limit the time range selection 2/ consider mapping data within your Log Group to multiple Log Groups.

Matt T
已回答 4 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则