Filter by timestamp query on AWS Cloudwatch Logs Insights

Question

I am trying to use AWS Cloudwatch Logs insights in order to search in some quite old logs of our lambda functions. I am reading this guide on AWS docs, but nowhere is documented how you can filter by timestamp. I have tried the below:

fields @timestamp, @message
| filter @timestamp > '2019-12-04T18:09:10.000+01:00'
| limit 200
| sort @timestamp desc

but doesn't work (returns 0 results).

Initially, I was trying to find out if there is a way to sort the log groups by a timestamp column (instead of the default which is the log group name), when I came across this feature request since 2015 - this is not resolved in eu-west-1 and they suggest to use the new log insights, but I can't make this work.

Does anyone know how I can filter logs by timestamp, or if this is even possible with Cloudwatch logs insights?

Thanks!

Answer 1

You can use @timestamp it just expects a UNIX timestamp in milliseconds, instead of seconds, from epoch.

Like this @timestamp > 1575479350000

See here https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html.

Although the docs don't mention you can do this I tested it out and it works.

Regarding the ISO string that you're trying to use there is a note in docs that...

Answer 2

Filtering on timestamp is done with the range selector on the top right in the Logs Insights Console or with the startTime and endTime parameters on the StartQuery API.

You could do further filtering using timestamp values in millis (see below for an example), but the overall range still needs to be wider than what you're using in the query itself.

fields @timestamp, @message
| fields tomillis(@timestamp) as millis
| filter millis > 1578182400000  # Sunday, 5. January 2020 0:00:00
     and millis < 1578268800000  # Sunday, 6. January 2020 0:00:00