I use structured logging (hence: logging json strings) and I use a log identifier. So in my code, each log message has a unique identifier so that I can search in both directions: When I see a log message, I know where it comes from and when I expect log messages, I can search for this identifier.
My log-strings look like this:
{"log-id": "##_foo_bar-1", "message": "some explanation", "customer_id": 123}
I'm not too sure if I need to do something else with Cloudwatch, as it looks like this:
[2018-02-06 08:34:09,946]:[INFO]: {"log-id": "##_foo_bar-1", "message": "some explanation", "customer_id": 123}
Recently, I was looking for my identifier ##_foo_bar-1
and Cloudwatch told me:
I also tried:
{$.log-id = "##_foo_bar-1"}
No sucess. But it is for sure in the logs (I have seen it, after manually going through it).
How can I find it with the search function?
Putting the search term in quotes should work, like this: "##_foo_bar-1"
Searching for {$.log-id = "##_foo_bar-1"}
should also work. I tried logging the same example statement you have in your question and this is what I get:
Maybe your log message is not recognized as json, do you see it parsed and colorized like in my screenshot?