Match case-insensitive patterns when using CloudWatch Logs Insights

Tomasz Łakomy - Oct 10 '23 - - Dev Community

👋

I found myself Googling (or rather - ChatGPTing) this one too many times so I decided to write it down.


If you're looking for errors in your CloudWatch Logs you can use CloudWatch Logs Insights to query your logs. One of the most commonly used commands is filter which allows you to filter your logs that match one or more conditions, here's an example:

fields @timestamp, @message
| filter (range>3000 and accountId=123456789012)
| sort @timestamp desc
| limit 20
Enter fullscreen mode Exit fullscreen mode

To be honest I rarely find myself using filter like this, but I often use it to filter logs that match a specific pattern, for example:

fields @timestamp, @message, @logStream, @log
| filter @message like /error/
Enter fullscreen mode Exit fullscreen mode

Note the like keyword here - this is a signal for CloudWatch Logs Insights to treat the pattern as a regular expression. (You can use =~ instead of like if you want, e.g. filter @message =~ /error/ but I personally find it more confusing to read).

There is one problem with this query, suppose that our error log entry looks like this:

console.log({
  message: "Error: cannot create user",
  timestamp: new Date().toUTCString(),
  requestId: faker.random.uuid(),
  userId: faker.random.uuid(),
});
Enter fullscreen mode Exit fullscreen mode

(Obviously don't use faker.random.uuid() in prod, this is just an example).

If we type filter @message like /error/ we won't get any results because the pattern is case-sensitive. To make it case-insensitive we need to add (?i) to the beginning of the pattern, like this:

fields @timestamp, @message, @logStream, @log
| filter @message like /(?i)error/
Enter fullscreen mode Exit fullscreen mode

This will match error, Error, ERROR or even eRroR and we'll get the results we're looking for.

Additional tip:

One more thing - if you want to filter all logs that are not errors (e.g. if you don't want to ruin your weekend), you can use not like syntax, like this:

fields @timestamp, @message, @logStream, @log
| filter @message not like /(?i)error/
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .