← All one-liners·#032·ops·aws·expert

CloudWatch Logs Insights from the CLI

Start a Logs Insights query, poll for results, pipe to claude. The aws-cli way to do what most people open the console for.

Setup
  • → brew install awscli
  • → aws configure
  • → claude /login OR export ANTHROPIC_API_KEY=sk-…
Cost per run
<$0.01
The one-liner
$ QID=$(aws logs start-query \
        --log-group-name /aws/lambda/my-function \
        --start-time $(($(date +%s) - 3600)) \
        --end-time   $(date +%s) \
        --query-string 'fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 100' \
        --query queryId --output text)

sleep 5

aws logs get-query-results --query-id "$QID" \
  | jq -r '.results[][] | select(.field=="@message").value' \
  | claude -p "Identify the top 3 error patterns and rank by likely production impact. Cite a representative line per pattern."
What each stage does
  1. [01] awsaws logs start-query --query-string '…'
    Logs Insights queries are SQL-like over CloudWatch logs. `fields … | filter … | stats … | sort … | limit …` is the canonical chain.
  2. [02] aws--query queryId --output text
    AWS CLI's client-side projection: pull just the queryId out of the response without piping through jq. Saves a step.
  3. [03] bashsleep 5
    Logs Insights is asynchronous — start the query, then poll. 5s is enough for most 1-hour windows. For longer windows, loop with `aws logs get-query-results` until .status is 'Complete'.
  4. [04] jqjq -r '.results[][] | select(.field=="@message").value'
    Logs Insights returns rows as arrays of {field, value} objects. Walk the nested arrays, keep just the @message values.
  5. [05] claudeclaude -p "…rank by likely production impact…"
    The 'rank by impact' framing nudges claude to prioritize what to fix, not just list what happened.
Expected output (sample)
1. **Connection timeout to RDS** — 412 occurrences. Likely a connection-pool leak after the 4.2 deploy. Sample: `psycopg2.OperationalError: timeout expired`.

2. **S3 NoSuchKey on /tmp uploads** — 89 occurrences. Race condition between writer and reader Lambdas. Sample: `botocore.errorfactory.NoSuchKey: …/run-2026-05-10T22:13.json`.

3. **DynamoDB ThrottlingException** — 47 occurrences. WCU saturation between 18:00–18:15 UTC daily.
Caveats & tips
  • Query language docs: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
  • Logs Insights bills per GB scanned — narrow the time window before broadening the filter.
← #031
Lambda: tail recent errors → claude clusters them
#033 →
EC2: every running instance on one line each