Adding Logs Insights Queries To Your CloudWatch Dashboard

Introduction

Widgets are the building blocks of a CloudWatch dashboard. They come in various types that can help you interpret metrics in a way that’s not only meaningful but also tailored to your specific needs. While they are typically used for visualizing metrics, widgets can also display the results of Logs Insights queries on your dashboard.

Logs Insights queries as a checklist

You can save Logs Insights queries to create a “troubleshooting checklist” for various situations. For example, if there’s a sudden increase in your application’s load, you might wanna check your logs first for any high number of requests, latency issues, or perhaps a high rate of unauthorized attempts. This can save you time in diagnosing issues. By displaying your “troubleshooting checklist” in a dashboard, you can do even better!

In this post, I’ll walk you through the steps of adding a CloudWatch widget out of Logs Insights query results. Our objective is to show the highest number of requests by IP address, as shown below.

Steps

1. Open the Amazon CloudWatch Dashboard and click on the + icon.
2. Select the Logs table widget and click Next.
3. Choose the Log group that contains the data you want to display.
4. Copy the following query and paste it into the text area.

On line 5, we’re excluding the server’s IP, so it won’t show up in the results. We do this since we’re only interested in reviewing user requests, not internal ones made by our server. Additionally, You might want to filter out other legitimate traffic sources, such as Googlebot crawlers or Route 53 health checkers.

        5. Finally, click Create widget.

The beauty of adding queries to your dashboard is that it’s like CloudWatch is running the queries for you. To see updated results, you can simply refresh the widget whenever you want. You can also view the results at different timeframes. For instance, if you wish to see the top requesting IP addresses for the past five minutes, you can configure the Relative time and set it to five minutes. Please note that queries run each time you load the dashboard or refresh it. Additionally, running queries are not free, so you may want to avoid refreshing the dashboard frequently, especially at higher timeframes. The query results are limited to 1,000 entries, and those at the bottom may not be of use to you, so you can add a filter to the query that limits the returned entries.

Conclusion:

That’s it. I hope you were able to follow this simple tutorial. Thank you for coming by.