The latest articles on DEV Community by Luke (@lroberts). https://dev.to/lroberts https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F145079%2F73b4ae86-8f3a-47b6-9392-ebbca6a633b8.jpg https://dev.to/lroberts en Luke Mon, 13 Jul 2020 10:58:51 +0000 https://dev.to/lroberts/master-cloudwatch-with-insights-coc https://dev.to/lroberts/master-cloudwatch-with-insights-coc <p>Depending on your past experience with CloudWatch, you might have no experience with it at all, you might have used it once or twice when Lambda automatically threw your logs into it, or, like me, this might be the usual view you get of it:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--lNyuO-Eo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8xhx4lqakzmjvhsj78nk.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--lNyuO-Eo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8xhx4lqakzmjvhsj78nk.png" alt="Alt Text"></a></p> <p>Hundreds of lines of logs and absolute agony to search for anything specific due to the simplistic search function. On top of this, what happens when you have a large number of services, each outputting their logs to a separate log group? Unfortunately Cloudwatch doesn’t allow you to view multiple log groups at once, making it impractical for large-scale applications. This is where a platform such as Insights comes in.</p> <p>CloudWatch Log Insights is a fully managed service to assist you in searching and visualizing logs that can be piped into CloudWatch from a number of sources including AWS services, EC2 instances, and even external services, all through queries in Insights' new ad-hoc language.</p> <h1> Getting to it </h1> <p>To get started with Insights, open up the <a href="https://console.aws.amazon.com/cloudwatch/home#logs-insights">Insights page</a> and select the log group you want to run a query on through the dropdown at the top:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--iwD_Rcsu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ko6o2lec7mekhbp46ovr.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--iwD_Rcsu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ko6o2lec7mekhbp46ovr.png" alt="Alt Text"></a></p> <p>Unlike when accessing logs directly through their log group, Insights also allows you to select multiple log groups to run queries on, great for searching across environments or over multiple functions or services!</p> <p>You might also want to select a timeframe if you don't want to stick with the default of showing logs within the last hour. Using the custom dropdown you can enter either an absolute date range, or a relative time. This can be super convenient whether you're debugging an error you've just triggered, or investigating logs around a reported error. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--tGpCEm4x--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/0nbfsv4bleb6rei6i3un.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--tGpCEm4x--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/0nbfsv4bleb6rei6i3un.png" alt="Alt Text"></a></p> <p>Let's start out with a simple query, and then break it down:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>fields @timestamp, @message | sort @timestamp desc | limit 25 </code></pre></div> <p><code>fields @timestamp, @message</code>: fetch only the <code>@timestamp</code> and <code>@message</code> fields</p> <p><code>|</code>: apply a further command to the result set</p> <p><code>sort @timestamp desc</code>: sort by the <code>@timestamp</code> field, descending</p> <p><code>limit 25</code>: once 25 results have been fetched, stop searching and return those rows.</p> <p>So in essence, this query returns the timestamps and messages for the 25 most recent rows in your log group.</p> <p>Moving onto using the kinds of commands that should really start to get you excited about Insights, statistics!<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>filter @message like /error/ | stats count(*) as errorCount by bin(1h) | sort errorCount desc </code></pre></div> <p>Here we're using the <code>stats</code> command which allows us to pass statistics functions such as <code>max</code>, <code>sum</code>, <code>avg</code>, or in our case, <code>count</code>, meaning each datapoint will be the number of rows containing the string <code>error</code>, grouped by the hour. This query might show you something like this:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ATnCcpdB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/9raa4fcj75d5dkkbdfyc.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ATnCcpdB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/9raa4fcj75d5dkkbdfyc.png" alt="Alt Text"></a></p> <p>Or if you open up the Visualization tab, you can get a much more useful representation of the data, which can be displayed as a line, bar, or stacked area chart:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--b_kYHLnH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/gyf1hl05y9hzdqqwyy38.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--b_kYHLnH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/gyf1hl05y9hzdqqwyy38.png" alt="Alt Text"></a></p> <p>Another powerful command you can use is <code>parse</code>, this allows you to <em>parse</em> fields in your logs and translate their contents into columns manipulable within your command:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>filter @message like /errorType/ | parse @message '"errorType":"*"' as @errorType | stats count(@errorType) by bin(1h), @errorType </code></pre></div> <p>This command fetches only rows containing the phrase <code>errorType</code>, then parses that field out of the JSON body within the log, mapping it to the <code>@errorType</code> variable, which we can then perform further commands on, such as by counting the number of each type of error, grouped by the hour.</p> <p>CloudWatch Insights provides a fairly simple solution, saving you from the effort of setting up and managing your own logging solution, while still being powerful and offering most of the core features you'd expect from a logging platform. There are, of course, some drawbacks of Insights, such as the limited visualization capabilities compared to other logging solutions such as an ELK stack. As well as this you have to face up to the requirement of learning a new query language, compared to the more convenient search capabilities provided by some logging solutions.</p> <p>Hopefully you've now enough information about the capabilities of Cloudwatch Log Insights to navigate your way around the tool. You're now monitoring your application logs much more efficiently, but there’s still a ways to go before you’ve covered everything, and there are plenty <a href="https://coralogix.com/log-analytics-blog/devops-monitoring/">other sections of your applications</a> that need to be watched!</p> <p>Luke writes about AWS and Log Analytics for <a href="https://coralogix.com/">Coralogix</a>.</p> cloudwatch insights visualization logging