Create and manage CloudWatch Logs Insights query definitions for structured log analysis and reporting with predefined query templates.
Create predefined CloudWatch Logs Insights queries that can be saved, shared, and reused for log analysis and monitoring across multiple log groups.
/**
* CloudWatch Logs Insights query definition for structured log analysis
*/
class QueryDefinition extends Construct {
/**
* Create a query definition
* @param scope - Construct scope
* @param id - Construct ID
* @param props - QueryDefinition configuration properties
*/
constructor(scope: Construct, id: string, props: QueryDefinitionProps);
/** Unique identifier for the query definition */
readonly queryDefinitionId: string;
}
/**
* Properties for QueryDefinition
*/
interface QueryDefinitionProps {
/** Name for the query definition */
readonly queryDefinitionName: string;
/** Query string object containing the Logs Insights query */
readonly queryString: QueryString;
/** Log groups to run the query against */
readonly logGroups?: ILogGroup[];
}Usage Examples:
import * as logs from '@aws-cdk/aws-logs';
const applicationLogGroup = new logs.LogGroup(this, 'ApplicationLogs');
const apiLogGroup = new logs.LogGroup(this, 'ApiLogs');
// Create query definition for error analysis
const errorAnalysisQuery = new logs.QueryDefinition(this, 'ErrorAnalysisQuery', {
queryDefinitionName: 'Application Error Analysis',
queryString: new logs.QueryString({
fields: ['@timestamp', 'level', 'message', 'userId'],
filter: 'level = "ERROR"',
stats: 'count() by bin(5m)',
sort: '@timestamp desc',
limit: 100,
}),
logGroups: [applicationLogGroup],
});
// Create query for API performance monitoring
const performanceQuery = new logs.QueryDefinition(this, 'PerformanceQuery', {
queryDefinitionName: 'API Performance Dashboard',
queryString: new logs.QueryString({
fields: ['@timestamp', 'method', 'path', 'responseTime', 'statusCode'],
filter: 'responseTime > 1000',
stats: 'avg(responseTime), max(responseTime), count() by bin(1m)',
sort: '@timestamp desc',
}),
logGroups: [apiLogGroup],
});Builder class for constructing CloudWatch Logs Insights queries with support for fields selection, filtering, statistics, and result formatting.
/**
* CloudWatch Logs Insights query string builder
*/
class QueryString {
/**
* Create a query string
* @param props - Query configuration properties
*/
constructor(props?: QueryStringProps);
/**
* Convert query to string format for CloudWatch Logs Insights
* @returns Formatted query string
*/
toString(): string;
}
/**
* Properties for QueryString
*/
interface QueryStringProps {
/** Fields to retrieve from log events */
readonly fields?: string[];
/** Parse expressions for extracting data from log messages */
readonly parse?: string;
/** Filter conditions to apply to log events */
readonly filter?: string;
/** Statistical calculations to perform on the data */
readonly stats?: string;
/** Sort order for results */
readonly sort?: string;
/** Maximum number of results to return */
readonly limit?: number;
/** Fields to display in results */
readonly display?: string;
}Usage Examples:
// Basic field selection and filtering
const basicQuery = new logs.QueryString({
fields: ['@timestamp', '@message'],
filter: 'level = "ERROR"',
sort: '@timestamp desc',
limit: 50,
});
// Complex query with parsing and statistics
const complexQuery = new logs.QueryString({
fields: ['@timestamp', 'requestId', 'duration'],
parse: '@message /Duration: (?<duration>\\d+)ms/',
filter: 'duration > 1000',
stats: 'avg(duration), max(duration), count() by bin(5m)',
sort: '@timestamp desc',
limit: 100,
});
// JSON log analysis
const jsonLogQuery = new logs.QueryString({
fields: ['@timestamp', 'level', 'component', 'userId'],
filter: 'level in ["ERROR", "WARN"] and ispresent(userId)',
stats: 'count() by level, component',
sort: 'count desc',
});// Comprehensive error tracking
const errorTrackingQuery = new logs.QueryDefinition(this, 'ErrorTracking', {
queryDefinitionName: 'Comprehensive Error Analysis',
queryString: new logs.QueryString({
fields: ['@timestamp', 'level', 'error.type', 'error.message', 'userId', 'requestId'],
filter: 'level = "ERROR"',
stats: 'count() by error.type, bin(1h)',
sort: '@timestamp desc',
limit: 200,
}),
logGroups: [applicationLogGroup],
});
// Top error messages
const topErrorsQuery = new logs.QueryDefinition(this, 'TopErrors', {
queryDefinitionName: 'Most Frequent Errors',
queryString: new logs.QueryString({
fields: ['error.message'],
filter: 'level = "ERROR"',
stats: 'count() by error.message',
sort: 'count desc',
limit: 20,
}),
logGroups: [applicationLogGroup],
});// API endpoint performance
const endpointPerformanceQuery = new logs.QueryDefinition(this, 'EndpointPerformance', {
queryDefinitionName: 'API Endpoint Performance Analysis',
queryString: new logs.QueryString({
fields: ['@timestamp', 'method', 'path', 'responseTime', 'statusCode'],
filter: 'ispresent(responseTime)',
stats: 'avg(responseTime), max(responseTime), min(responseTime), count() by path, bin(5m)',
sort: 'avg desc',
limit: 100,
}),
logGroups: [apiLogGroup],
});
// Slow query detection
const slowQueriesQuery = new logs.QueryDefinition(this, 'SlowQueries', {
queryDefinitionName: 'Database Slow Queries',
queryString: new logs.QueryString({
parse: '@message /Query executed in (?<queryTime>\\d+)ms: (?<queryText>.+)/',
filter: 'queryTime > 1000',
fields: ['@timestamp', 'queryTime', 'queryText'],
stats: 'avg(queryTime), max(queryTime), count() by queryText',
sort: 'avg desc',
limit: 50,
}),
logGroups: [databaseLogGroup],
});// User session analysis
const userSessionQuery = new logs.QueryDefinition(this, 'UserSessions', {
queryDefinitionName: 'User Session Analysis',
queryString: new logs.QueryString({
fields: ['@timestamp', 'userId', 'action', 'sessionId'],
filter: 'ispresent(userId) and action in ["login", "logout", "purchase"]',
stats: 'count() by userId, action, bin(1h)',
sort: '@timestamp desc',
limit: 500,
}),
logGroups: [applicationLogGroup],
});
// Failed authentication attempts
const authFailureQuery = new logs.QueryDefinition(this, 'AuthFailures', {
queryDefinitionName: 'Authentication Failures',
queryString: new logs.QueryString({
fields: ['@timestamp', 'userId', 'ipAddress', 'userAgent'],
filter: 'event = "authentication_failed"',
stats: 'count() by userId, ipAddress, bin(1h)',
sort: 'count desc',
limit: 100,
}),
logGroups: [securityLogGroup],
});// Revenue tracking
const revenueQuery = new logs.QueryDefinition(this, 'RevenueTracking', {
queryDefinitionName: 'Revenue Analysis',
queryString: new logs.QueryString({
fields: ['@timestamp', 'userId', 'amount', 'currency', 'product'],
filter: 'event = "purchase_completed" and ispresent(amount)',
stats: 'sum(amount), count(), avg(amount) by product, bin(1d)',
sort: 'sum desc',
limit: 50,
}),
logGroups: [businessLogGroup],
});
// Feature usage analytics
const featureUsageQuery = new logs.QueryDefinition(this, 'FeatureUsage', {
queryDefinitionName: 'Feature Usage Analytics',
queryString: new logs.QueryString({
fields: ['@timestamp', 'userId', 'feature', 'action'],
filter: 'event = "feature_used"',
stats: 'count() by feature, action, bin(1d)',
sort: 'count desc',
limit: 100,
}),
logGroups: [analyticsLogGroup],
});// Security anomaly detection
const securityAnomalyQuery = new logs.QueryDefinition(this, 'SecurityAnomalies', {
queryDefinitionName: 'Security Anomaly Detection',
queryString: new logs.QueryString({
fields: ['@timestamp', 'ipAddress', 'userId', 'action', 'riskScore'],
filter: 'riskScore > 7 or action in ["privilege_escalation", "suspicious_login"]',
stats: 'count(), avg(riskScore) by ipAddress, action, bin(1h)',
sort: 'avg desc',
limit: 200,
}),
logGroups: [securityLogGroup],
});
// Unusual access patterns
const accessPatternQuery = new logs.QueryDefinition(this, 'AccessPatterns', {
queryDefinitionName: 'Unusual Access Patterns',
queryString: new logs.QueryString({
fields: ['@timestamp', 'userId', 'ipAddress', 'location', 'device'],
filter: 'event = "access_attempt" and location != user.usual_location',
stats: 'count() by userId, location, bin(1h)',
sort: 'count desc',
limit: 100,
}),
logGroups: [accessLogGroup],
});// Resource utilization
const resourceUtilizationQuery = new logs.QueryDefinition(this, 'ResourceUtilization', {
queryDefinitionName: 'Resource Utilization Trends',
queryString: new logs.QueryString({
fields: ['@timestamp', 'instanceId', 'cpuUsage', 'memoryUsage', 'diskUsage'],
filter: 'ispresent(cpuUsage) and (cpuUsage > 80 or memoryUsage > 85)',
stats: 'avg(cpuUsage), avg(memoryUsage), max(cpuUsage), max(memoryUsage) by instanceId, bin(5m)',
sort: 'max desc',
limit: 100,
}),
logGroups: [infrastructureLogGroup],
});
// Application health check
const healthCheckQuery = new logs.QueryDefinition(this, 'HealthCheck', {
queryDefinitionName: 'Application Health Monitoring',
queryString: new logs.QueryString({
fields: ['@timestamp', 'service', 'endpoint', 'status', 'responseTime'],
filter: 'event = "health_check" and (status != "healthy" or responseTime > 5000)',
stats: 'count() by service, status, bin(1m)',
sort: '@timestamp desc',
limit: 200,
}),
logGroups: [healthLogGroup],
});// Cross-service correlation
const crossServiceQuery = new logs.QueryDefinition(this, 'CrossServiceAnalysis', {
queryDefinitionName: 'Cross-Service Request Tracing',
queryString: new logs.QueryString({
fields: ['@timestamp', 'service', 'traceId', 'operation', 'duration', 'status'],
filter: 'ispresent(traceId) and (status = "error" or duration > 2000)',
stats: 'count(), avg(duration) by service, operation, bin(5m)',
sort: 'avg desc',
limit: 150,
}),
logGroups: [apiLogGroup, applicationLogGroup, databaseLogGroup],
});
// System-wide error correlation
const systemErrorQuery = new logs.QueryDefinition(this, 'SystemErrors', {
queryDefinitionName: 'System-wide Error Correlation',
queryString: new logs.QueryString({
fields: ['@timestamp', '@logGroup', 'level', 'message', 'correlationId'],
filter: 'level in ["ERROR", "FATAL"] and ispresent(correlationId)',
stats: 'count() by @logGroup, bin(1m)',
sort: '@timestamp desc',
limit: 300,
}),
logGroups: [applicationLogGroup, apiLogGroup, databaseLogGroup, infrastructureLogGroup],
});