Creating a scheduled query

Create a scheduled query that automatically runs CloudWatch Logs Insights queries and delivers results to your chosen destinations.

Prerequisites

Before creating a scheduled query, ensure you have the following:

Log groups - One or more log groups containing the data you want to analyze
Execution IAM role - An IAM role with the following permissions:
- logs:StartQuery - Permission to start CloudWatch Logs Insights queries
- logs:GetQueryResults - Permission to retrieve query results
- logs:DescribeLogGroups - Permission to access log group information. This is only required for prefix based log groups for log group discovery
Destination permissions - Additional IAM permissions for your chosen destination:
- For Amazon S3 destinations: s3:PutObject
For AWS CLI and API usage - Configured AWS credentials with permissions to call CloudWatch Logs APIs

For detailed IAM policy examples, see Identity and access management for Amazon CloudWatch Logs. Also to be noted you can have only 1000 scheduled queries per account.

Console

To create a scheduled query (console)

Open the CloudWatch Logs console at https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights.
In the navigation pane, choose Logs Insights.
Choose Create scheduled query.
In the Query definition section:
1. For Query language, choose the query language to use from the list.
2. For Query string, enter your CloudWatch Logs Insights query in the box.
3. For Log groups, select the log groups to query from the list.
In the Schedule setup section:
1. For Schedule expression, configure when the query runs. Choose from predefined options or enter a custom cron expression.
2. For Effective upon creation, specify when the schedule becomes active. Choose to start immediately or at a specific date and time using YYYY/MM/DD format.
3. For Time range, specify the lookback period for each query execution. Enter the duration in minutes that defines how far back from the execution time to query.
4. For Continue indefinitely, specify when the schedule ends. Choose to run indefinitely or until a specific date and time using YYYY/MM/DD format.
The console displays the next three scheduled query runs based on your configuration, showing the exact dates and times in UTC when the query will execute.
In the Post query results to S3 - optional section (if using S3 destination):
1. For S3 bucket, select This account if the destination bucket is in the same AWS account, or select Another account if the bucket is in a different AWS account and provide the account ID of the bucket-owning account as input.
2. For Amazon S3 URI, enter the Amazon S3 bucket and prefix where results will be stored (for example, s3://my-bucket/query-results/). If you selected This account, you can choose Browse Amazon S3 to navigate and select an existing Amazon S3 location.
3. (Optional) For KMS key ARN, enter the ARN of a customer managed AWS KMS key to encrypt the query results using SSE-KMS. The key must be in the same AWS Region as the destination Amazon S3 bucket.
In the IAM role for posting query results to Amazon S3 section, choose one of the following options:
1. Choose Auto-create a new role with default permissions to automatically set up an IAM role with the permissions required for CloudWatch Logs to deliver query results to Amazon S3.
2. Choose Use an existing role to select an existing IAM role with the required policies for CloudWatch Logs to deliver query results to Amazon S3. Use the search field to find and select the appropriate IAM role from the list.
In the IAM role for scheduled query execution section, choose one of the following options:
1. Choose Auto-create a new role with default permissions to automatically set up an IAM role with the permissions required for CloudWatch Logs to execute scheduled queries.
2. Choose Use an existing role to select an existing IAM role with the required policies for CloudWatch Logs to execute scheduled queries. Use the search field to find and select the appropriate IAM role from the list.
Choose Create schedule to create the scheduled query.

AWS CLI

To create a scheduled query (AWS CLI)

Use the create-scheduled-query command to create a new scheduled query:


aws logs create-scheduled-query \
    --name "ErrorAnalysisQuery" \
    --query-language "CWLI" \
    --query-string "fields @timestamp, @message | filter @message like /ERROR/ | stats count() by bin(5m)" \
    --schedule-expression "cron(8 * * * ? *)" \
    --execution-role-arn "arn:aws:iam::123456789012:role/CloudWatchLogsScheduledQueryRole" \
    --log-group-identifiers "/aws/lambda/my-function" "/aws/apigateway/my-api" \
    --state "ENABLED"

API

To create a scheduled query (API)

Use the CreateScheduledQuery action to create a new scheduled query. The following example creates a scheduled query that runs every hour:


{
    "name": "ErrorAnalysisQuery",
    "queryLanguage": "CWLI",
    "queryString": "fields @timestamp, @message | filter @message like /ERROR/ | stats count() by bin(5m)",
    "scheduleExpression": "cron(8 * * * ? *)",
    "executionRoleArn": "arn:aws:iam::123456789012:role/CloudWatchLogsScheduledQueryRole",
    "logGroupIdentifiers": ["/aws/lambda/my-function", "/aws/apigateway/my-api"],
    "state": "ENABLED"
}

After creating the scheduled query, you can view and manage it from the Scheduled queries page and using ListScheduledQueries API, which shows all your scheduled queries with their names, creation dates, status of last run, last triggered time, and repeat frequency.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started with scheduled queries

Viewing and managing scheduled queries