How to Add Logs Insights Queries to Your CloudWatch Dashboard

Amazon CloudWatch Dashboards provide a powerful way to create a single-pane-of-glass view for monitoring your applications. While they are often used for visualizing metrics, a key feature is the ability to display the live results of CloudWatch Logs Insights queries directly on your dashboard.

This allows you to move beyond just metrics and visualize important data from your application and system logs, such as error rates, top IP addresses, request latencies, or any other data you can query.

This guide will walk you through the steps to add a Logs Insights query to a dashboard. As an example, we will create a widget that shows the top IP addresses making requests to our application.

Step-by-Step Guide

1. Navigate to CloudWatch Dashboards

   • In the AWS Management Console, go to the CloudWatch service.

   • Select Dashboards from the left-hand navigation pane.

   • You can either open an existing dashboard or create a new one by clicking Create dashboard.

2. Add a New Widget

   • On your dashboard, click the Add widget button (often represented by a + icon).

3. Select the Widget Type

   • You will be presented with a list of widget types. Select Logs table and click Next.

4. Configure the Widget and Query

   • Select Log Group(s): In the configuration screen, first choose the log group (or multiple log groups) that contains the log data you want to query.

   • Enter Your Query: In the query editor text area, enter your CloudWatch Logs Insights query.

   • Example Query: Top IP Addresses

     For this guide, we'll use a query to find the IP addresses making the most requests. This is useful for identifying high-traffic users or potential security threats. Copy and paste the following query:

     
     fields @timestamp, @message
     
     | stats count(*) as requestCount by @ip
     
     | sort requestCount desc
     

5. Refine the Query (Optional but Recommended)

   • Your logs may contain internal or irrelevant traffic (like health checks or internal service calls). It's good practice to filter these out. For example, if your internal IP range is 10.0.x.x, you can add a filter line to your query:

     
     fields @timestamp, @message
     
     | stats count(*) as requestCount by @ip
     
     | sort requestCount desc
     
     | filter @ip not like "10.0."
     

6. Create the Widget

   • After entering your query, click the Run query button to ensure it works and returns the data you expect.

   • Once you are satisfied, click Create widget. Your new widget showing the results of your Logs Insights query will now appear on your dashboard.

Important Considerations

• Query Costs: Be aware that CloudWatch Logs Insights queries incur costs based on the amount of data scanned. The queries in your dashboard widgets run each time the dashboard is loaded or the widget is refreshed. Avoid auto-refreshing dashboards with many complex queries at very high frequencies to manage costs.

• Time Frames: You can adjust the time frame for your entire dashboard (e.g., Last 5 minutes, Last 1 hour) and the widget will automatically update to show the query results for that specific period.

• Result Limits: Logs Insights query results that are displayed in a dashboard widget are limited to showing a maximum of 1,000 entries.

By adding your most common troubleshooting and monitoring queries to a dashboard, you can significantly speed up your ability to diagnose issues and gain a deeper understanding of your application's behavior.