How to filter CloudWatch Log Insights with ispresent() function

Question

I'm trying to perform a really simple query on the ~~not so~~ new AWS Cloudwatch Log Insights

I'm following their documentation to filter my logs using ispresent function.

The query is the following:

fields @timestamp, status
| filter ispresent(status) != 0

But this give me an error (the super unhelpful We are having trouble understanding the query)

How can I filter my logs by showing only the logs with the status field?

NateH06 · Answer 1 · 2021-11-19T01:04:10.857

50

The accepted answer doesn't work for me, but you can now negate ispresent():

fields @timestamp, status
| filter !ispresent(status)

edited Nov 19 '21 at 01:04

answered Jul 09 '20 at 22:38

NateH06

1

As a filter `ispresent()` also works with the reverse `!!ispresent()` – Aran Sep 21 '21 at 10:52

score 22 · Accepted Answer · answered May 09 '19 at 14:51

22

After a while, I figured out how to do that, in a hackish way.

fields @timestamp, status, ispresent(status) as exist
| filter exist != 0

Not the best way (and it goes against their documentation), but works.

answered May 09 '19 at 14:51

Gustavo Lopes

11

```fields @timestamp, status | filter ispresent(status)``` - this looks better – ILog Jul 12 '19 at 07:50
1

It does look better. Though, by the time of the question, it wasn't working.I can't test right now as I don't have any json formatted logs, unfortunately. – Gustavo Lopes Jul 12 '19 at 12:34
1

Also AWS does not have a good way to negate the `ispresent()` function from within the filter, which this makes up for. Thanks! – hvaughan3 Jul 25 '19 at 03:18

2 Answers2