[英]How to filter cloudwatch logs using boto3 in python
I'd like to filter the logs from API Gateway with Cloudwatch.我想使用 Cloudwatch 过滤来自 API 网关的日志。
Here is a sample of my logs:这是我的日志示例:
(f810f3b1-5aqa-4af1-be31-bq10d3w99fqp) Endpoint request body after transformations: {"domain":"example.com"}
(f810f3b1-5aqa-4af1-be31-bq10d3w99fqp) HTTP Method: POST, Resource Path: /v/
(f810f3b1-5aqa-4af1-be31-bq10d3w99fqp) API Key: **************
(f810f3b1-5aqa-4af1-be31-bq10d3w99fqp) Method request path: {}
(f810f3b1-5aqa-4af1-be31-bq10d3w99fqp) Method request query string: {0.49120039624=}
My goal is to filter only the @message containing the request body to get the domain from it using boto3.我的目标是仅过滤包含请求正文的@message 以使用 boto3 从中获取域。 Here's my code:
这是我的代码:
query = "fields @timestamp, @message | filter @message in ['domain']"
response_query = client.start_query(
logGroupName=log_group,
startTime=int((datetime.now() - timedelta(hours=5)).timestamp()),
endTime=int(datetime.now().timestamp()),
queryString=query,
limit=1000
)
=> {'results': [], 'statistics': {....}
I'm getting no result from this query, do you have any idea why? =>
{'results': [], 'statistics': {....}
我没有从这个查询中得到任何结果,你知道为什么吗?
The solution is to use like
operator for fuzzy match.解决方案是使用
like
运算符进行模糊匹配。 in
operator in CloudWatch query is similar to it in other languages like Python, CloudWatch 查询中的
in
运算符与 Python 等其他语言中的运算符类似,
>>> 'a' in ['a', 'b']
True
in
only checks for exact matches. in
仅检查完全匹配。 Its typical usage in CloudWatch is to check low-cardinality set membership in the discovered log fields.它在 CloudWatch 中的典型用法是检查已发现日志字段中的低基数集成员资格。 For example, the discovered log field
@type
in Lambda logs indicates the type of a log message in a lambda invocation.例如,在 Lambda 日志中发现的日志字段
@type
指示 lambda 调用中的日志消息的类型。 The possible values are START
, END
, REPORT
.可能的值为
START
、 END
、 REPORT
。 In other words, the cardinality of this set is 3, which is pretty low.换句话说,这个集合的基数是 3,这是相当低的。 Then I can use the following query to get a glance of how the duration and max memory usage look like in the recent invocations.
然后我可以使用以下查询来大致了解最近调用中的持续时间和最大 memory 使用情况。
fields @timestamp, @message
| filter @type in ['REPORT']
| sort @timestamp desc
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.