How do I troubleshoot a CloudWatch Logs Insights query that shows errors or doesn't return the expected results?

4 minute read
0

I want to troubleshoot an Amazon CloudWatch Logs Insights query that shows errors or doesn't return the expected results.

Short description

Your CloudWatch Logs Insights query might return errors or not return the expected results for the following reasons:

  • There are no logs in the log group for the time range of the query.
  • Logs are in the log group for the time range of the query, but they aren't visible in the query results.
  • A WebSocket connection error occurred.
  • A "row limit exceeded" error occurred.
  • CloudWatch Logs Insights visualization doesn't display a line chart and shows an error.

Resolution

There are no logs in the log group for the time range of the query

In the CloudWatch console, check that the logs that you expect in the query results are in the log group for the time range of the query. When you open the CloudWatch console, make sure that you use the same time range and time zone as the CloudWatch Logs Insights query.

Logs are in the log group for the time range of the query, but they aren't visible in the query results

When CloudWatch Logs is receiving the logs, the logs take a few minutes to be available to query. Check that the time range and time zone of the CloudWatch logs are the same as the query's time range and time zone.

If you use the filter command in your CloudWatch Logs Insights query, then make sure that the logs match the filter conditions. Also, make sure that the logs are in the log groups for the time range of the query. To run a CloudWatch Logs Insights query without a filter command, run the following command:

fields @timestamp, @message, @logStream, @log | sort @timestamp desc | limit 20

CloudWatch Logs can receive log events that have a timestamp of up to 14 days in the past. For more information, see PutLogEvents. Log events that have a timestamp that's earlier than the log group creation timestamp aren't available to query in CloudWatch Logs Insights.

A WebSocket connection error occurred

To run a query, the CloudWatch console must reach the WebSocket from your network. If your network security team doesn't allow the use of WebSockets, then you can't access CloudWatch Logs Insights in the CloudWatch console. Instead, you can use API commands to access CloudWatch Logs Insights. For more information, see StartQuery and GetQueryResults.

A row limit exceeded error occurred

To specify the number of log events that you want your query to return, use the limit command. If you specify a number that's more than 10000, then you receive the following error message:

"Row limit exceeded. Specified: 100000. Maximum: 10000 ([X,Y]) (Service: AWSLogs; Status Code: 400; Error Code: MalformedQueryException; Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx; Proxy: null)."

By default, up to 1000 rows of query results are displayed on the console. You can use the limit command to increase the rows of query results up to 10000. You can't change this quota.

It's a best practice to use the limit of 10000 records for your CloudWatch Logs Insights query. If your query returns more than 10000 records, then run the query for shorter time periods to return fewer records.

CloudWatch Logs Insights visualization doesn't display a line chart and shows an error

If your CloudWatch Logs Insights visualization doesn't display a line chart, then you might receive the following error message:

"The data is not suitable for a line chart. Try a bar chart, or group your result by bin function."

To troubleshoot this issue, check if your CloudWatch Logs Insights query uses the stats, aggregation, or bin() functions to group the data. The bin() function must be the only grouping field in your CloudWatch Logs Insights query.

Related information

Analyzing log data with CloudWatch Logs Insights

CloudWatch Logs Insights query syntax

Sample queries