amazon-web-servicesamazon-cloudwatchcloudwatch-alarms

How to create a CloudWatch alarm from log group metric filter

I'm trying to create a CloudWatch alarm from a log group metric filter. I have created the metric filter but I'm unable to setup an alarm as no data seems to be graphed.

I am trying to setup a metric filter to track 502 errors from our ECS container logs.

I go to CloudWatch > Log groups and select our group 'example-ecs'.

This group contains our log stream from our ECS containers. There are many as when the website is deployed a new stream is created. I think is is expected, there are 100s of logs.

web/example-task-production/1XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX   2022-04-14 13:54:14 (UTC+02:00)
web/example-task-production/2XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX   2022-05-05 12:09:00 (UTC+02:00)
web/example-task-production/3XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX   2022-04-04 18:11:03 (UTC+02:00)
web/example-task-production/4XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX   2022-04-05 09:47:15 (UTC+02:00)

If I 'search all' with the following filter:

[timestamp, timezone, server, from, ip, request, method, url, response, http, codetitle, code=502, bytes, sent, time]

I get these search results (as expected):

05/Apr/2022:16:04:28 +0000 Server:  From: XXX.XX.X.XXX Request: POST https://example.com/broken/page Response: HTTP Code: 502 Bytes Sent: 315 Time: 0.042
05/Apr/2022:16:42:02 +0000 Server:  From: XXX.XX.X.XXX Request: POST https://example.com/broken/page Response: HTTP Code: 502 Bytes Sent: 315 Time: 0.062
05/Apr/2022:19:14:50 +0000 Server:  From: XXX.XX.X.XXX Request: POST https://example.com/broken/page Response: HTTP Code: 502 Bytes Sent: 315 Time: 0.043

I then created a metric filter using this filter pattern. With the following settings:

Filter pattern:

[timestamp, timezone, server, from, ip, request, method, url, response, http, codeTitle, code=502, bytes, sent, time]

The 'Test pattern' also matches the test above.

Filter name: HTTP502Errors
Metric namespace: ExampleMetric
Metric name: ServerErrorCount
Metric value: 1
Default value – optional: 0
Unit – optional: Count

I should have 5 entries in the logs within the last 24 hours. When I try and graph this new metric or create an alarm there seems to be no data in it. How do I make this work?

Solution

  • When you create a metric filter, you can only see the data that is generated after the metric filter creation.

    From docs:

    Filters do not retroactively filter data. Filters only publish the metric data points for events that happen after the filter was created

    So you won't be able to see the 5 matched log entries, only the new ones.