Display empty bin as a zero value in AWS Log Insights graph

Question

With this count query by bin:

filter @message like / error /
| stats count() as exceptionCount by bin(30m)

I get a discontinuous graph, which is hard to grasp:

Is is possible for AWS Cloudwatch Log Insights to consider the empty bin as zero count to get a continuous graph?

score 10 · Accepted Answer · answered Nov 18 '20 at 20:17

10

Found your question looking for my own answer to this.

The best that I came up with is to calculate a 'presence' field and then use sum to get 0's in the time bins.

I used strcontains, which returns a 1 when matched or 0 when not. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html#CWL_QuerySyntax-operations-functions

Mine looks like this:

fields @timestamp, @message
| fields strcontains(@message, 'Exit status 1') as is_exit_message
| stats sum(is_exit_message) as is_exit_message_count by bin(15m) as time_of_crash
| sort time_of_crash desc

So, yours would be:

fields strcontains(@message, 'error') as is_error
| stats sum(is_error) as exceptionCount by bin(30m)

answered Nov 18 '20 at 20:17

Joey Lesh

366
2
5

My original request was actually using a regular expression: `filter @message like /Request [0-9]* (exception|error)/ | stats count(*) as exceptionCount by bin(30m)`. In my specific case, I managed to use your strcontains trick by using `filter @message like /Request [0-9]*/ | fields strcontains(@message, 'exception') + strcontains(@message, 'error') as is_error | stats sum(is_error) as exceptionCount by bin(30m)` – pba Nov 20 '20 at 13:41
6

This sortof works, except you still only get zeros if there are log messages without your matching strings. If there were no log messages at all in the bin period (majority of the bins in my case), it's still discontinuous – user1169420 Feb 26 '21 at 19:40
1

yeah, I agree with @user1169420, if there are no log messages for that period, it still displays it discountinuous. Any workaround for this? – kk. Jun 08 '21 at 16:10
Hey @kk. , did you figure out a solution for this ? – Raghav Apr 26 '22 at 05:54

Jehong Ahn · Answer 2 · 2023-07-26T01:22:16.273

2

Use strcontains + sum or parse + count.

Do not use filter. You should query all of logs.

edited Jul 26 '23 at 01:22

answered Jun 08 '21 at 01:31

Jehong Ahn

1,872
1
19
25

Display empty bin as a zero value in AWS Log Insights graph

2 Answers2