AWS Cloudwatch 过滤器和模式语法

问题描述 投票:0回答:4

我正在按照此处的说明进行操作 https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

但它没有像我期望的那样工作。

我目前有以下cloudwatch日志订阅过滤器模式:

? "UNKNOWN_TOPIC_OR_PARTITION" ? " SEVERE " ? " severe " ? " FATAL "  ? " fatal " - "closing session"

我想将任何模式与“ fatal ”相匹配,同时从结果中排除“结束会话”。

但是,上面的过滤器匹配其他日志输出:

enter image description here

amazon-web-services amazon-cloudwatch amazon-cloudwatchlogs amazon-cloudwatch-metrics
4个回答
31
投票

您不能使用 CloudWatch 中的事件过滤器...但可以使用 Logs Insights

CloudWatch -> CloudWatch 日志 -> 日志见解

或者

CloudWatch -> CloudWatch Logs -> 日志组 -> [您的服务日志] -> [按钮日志见解]

日志见解

Logs Insights UI

  1. 日志服务(您需要选择要跟踪的服务日志
  2. 在此部分您可以选择时间范围。
  3. 这里有你的查询框,你可以像 SQL 一样输入查询

因此,在您的情况下,您可以在查询框中使用此内容

fields @timestamp, @message
| sort @timestamp desc
| filter @message like /SEVERE|severe|FATAL|fatal|closing session/

现在单击运行查询,您将仅看到您想要使用该过滤器的日志。

17
投票

尝试这个过滤模式:

[(w1="*UNKNOWN_TOPIC_OR_PARTITION*" || w1="*SEVERE*" || w1="*severe*" || w1="*FATAL*" || w1="*fatal*") && w1!="*closing session*"]
3
投票

这一点与所有 OR 结合起来,会给你带来问题 

- "closing session"
。尝试将其删除,看看其余部分是否按预期匹配。

我不知道在单个过滤器中获取所需内容的语法,但为了获得相同的结果,您可以为要匹配的每个字符串创建单独的日志过滤器。在这种情况下,那就是:

  • "UNKNOWN_TOPIC_OR_PARTITION" - "closing session"
  • " SEVERE " - "closing session"
  • " severe " - "closing session"
  • " FATAL " - "closing session"
  • " fatal " - "closing session"

现在您有 5 个不同的指标。您可以使用度量数学对它们进行总结,这将为您提供所需的度量。请参阅此处了解如何使用度量数学:

0
投票

终于弄清楚了如何使其适用于 json 日志数据 - 我的是从我的 eks pod 生成的流畅位附加日志,这个示例非常适合我。测试数据中的xxxxxx只是我匿名化的。enter image description here

我的用例是按

进行过滤
  1. 日志中的错误字符串 - “400”或“500”
  2. kubernetes.namespace 中包含字符串“prod”或“stage”

用于生成云监视指标过滤器的过滤器模式

{ ($.log = "*400*" || $.log = "*500*" ) && ($.kubernetes.namespace_name = "*prod*" || $.kubernetes.namespace_name = "*stage*")}

测试示例

    {"time":"2024-06-20T19:37:54.143939587Z","stream":"stdout","_p":"F","log":"INFO:     xxxxxxx - \"GET /healthz HTTP/1.1\" 200 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-dev","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
{"time":"2024-06-20T19:38:09.143560164Z","stream":"stdout","_p":"F","log":"INFO:     xxxxxxxxxx:36824 - \"GET /healthz HTTP/1.1\" 400 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-prod","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}
{"time":"2024-06-20T19:38:24.143866118Z","stream":"stdout","_p":"F","log":"INFO:     xxxxxxxxxx:49414 - \"GET /healthz HTTP/1.1\" 400 OK","kubernetes":{"pod_name":"dummy-75c4c7f78d-vv4pk","namespace_name":"dummy-stage","pod_id":"88853af3-7911-4c07-8ab9-d1a90d875242","host":"ip-xxxxxxxxxx.us-east-2.compute.internal","container_name":"dummy","docker_id":"xxxxxxxxxx","container_hash":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy@sha256:470eed44a3d65d95def5f8387f2a127f8f29eee94ed14994044093a6ff5332ef","container_image":"xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/dummy:dev-build-1986d44-v1.0.0"}}

干杯,如果这对前来寻找示例的人有帮助,请投票。当我在寻找这个时降落在这里时将其放在这里。

提示:- ChatGpt 和文档有帮助:P

最新问题
© www.soinside.com 2019 - 2025. All rights reserved.