CloudWatch Logs Insights Query Reference & Examples

November 1, 2025 • 2 min read

awscloudwatch
Contents

Below is a quick set of CloudWatch Logs Insight query examples that I’ve collected over the years.

Search with Regex

This query searches log messages using regex patterns to find error messages, warnings, or exceptions across your logs.

fields @timestamp, @message
| sort @timestamp desc
| filter @message like /ERROR|WARN|Exception/
| limit 100

Example Output

@timestamp               | @message
2024-01-15T14:32:18.123Z | ERROR: Database connection failed - timeout after 30s
2024-01-15T14:31:45.892Z | WARN: API rate limit approaching threshold (85%)
2024-01-15T14:30:12.445Z | Exception in thread "main" java.lang.NullPointerException

Lambda Filter out System Logs

Removes Lambda’s default system logs (START, END, REPORT) to focus only on your application logs.

filter @message not like /(?i)(START RequestId:|END RequestId:|REPORT RequestId:)/

Lambda Memory Usage Analysis

Analyzes Lambda memory usage patterns to help optimize memory allocation and identify over-provisioned functions.

filter @type = "REPORT"
| stats max(@memorySize / 1024 / 1024) as provisionedMemoryMB,
  min(@maxMemoryUsed / 1024 / 1024) as smallestMemoryRequestMB,
  avg(@maxMemoryUsed / 1024 / 1024) as avgMemoryUsedMB,
  max(@maxMemoryUsed / 1024 / 1024) as maxMemoryUsedMB,
  provisionedMemoryMB - maxMemoryUsedMB as overProvisionedMB

Example output

provisionedMemoryMB | smallestMemoryRequestMB | avgMemoryUsedMB | maxMemoryUsedMB | overProvisionedMB
512                 | 87.3                    | 142.8           | 203.5           | 308.5

API Gateway Access Logs Analysis

Aggregates API Gateway error responses by status code and error type to identify common failure patterns.

fields @timestamp, status, errorResponseType, errorMessage
| filter ispresent(status)
| filter errorResponseType != '-'
| sort @timestamp desc
| stats count() by status, errorResponseType, errorMessage

Example Output

status | errorResponseType       | errorMessage           | count
400    | BAD_REQUEST_PARAMETERS  | Missing required field | 23
401    | UNAUTHORIZED            | Invalid API key        | 15
500    | INTERNAL_SERVER_ERROR   | Database timeout       | 8

Group by Parsed Fields

Parses structured log messages to extract error codes and details, then groups them for error frequency analysis.

parse @message "(*)" as id
| filter @message like /statusCode":4[0-9][0-9]/ or @message like /statusCode":5[0-9][0-9]/
| parse @message '"code":"*"' as code
| parse @message '"detail":"*"' as detail
| parse @message '"statusCode":*,' as statusCode
| stats count(*) by code, detail, statusCode

Example Output

code              | detail                    | statusCode | count
VALIDATION_ERROR  | Email format invalid      | 400        | 45
AUTH_FAILED       | Token expired             | 401        | 23
RATE_LIMIT        | Too many requests         | 429        | 12
DB_CONNECTION     | Connection pool exhausted | 500        | 8

Resources