Start a CloudWatch investigations from an alarm
Start a CloudWatch investigations from an alarm, or from any point in the last two weeks of a CloudWatch alarm's history.
For more information about CloudWatch investigations, see CloudWatch investigations.
Prerequisites
Before you can start a CloudWatch investigations from a CloudWatch alarm, you must create a resource policy for the function to allow the CloudWatch service principal to start the investigation. To do this using the AWS CLI, use a command similar to the following example:
aws aiops put-investigation-group-policy \ --identifier arn:aws:aiops:us-east-1:111122223333:investigation-group/investigation_group_id \ --policy "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"aiops.alarms.cloudwatch.amazonaws.com\"},\"Action\":[\"aiops:CreateInvestigation\",\"aiops:CreateInvestigationEvent\"],\"Resource\":\"*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"111122223333\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:cloudwatch:us-east-1:111122223333:alarm:*\"}}}]}" \ --region eu-north-1
Replace the example values with your own AWS account ID, region, and investigation group ID.
Start an investigation from a CloudWatch alarm
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the left navigation pane, choose Alarms, All alarms.
-
Choose the name of the alarm.
-
Choose the time period in the alarm history that you want to investigate.
-
Choose Investigate, Start new investigation.
-
For New investigation title, enter a name for the investigation. Then choose Start investigation.
The CloudWatch investigations assistant starts and scans your telemetry data to find data that might be associated with this situation.
-
In the CloudWatch console's navigation pane, choose Investigations, then choose the name of the investigation that you just started.
The Findings section displays a natural-language summary of the alarm's status and the reason that it was triggered.
-
(Optional) In the graph of the alarm, right-click and choose to deep-dive into the alarm or the metric that it watches.
-
On the right side of the screen, choose the Suggestions tab.
A list of other telemetry that CloudWatch investigations has discovered and that might be relevant to the investigation appears. These findings can include other metrics and CloudWatch Logs Insights query results. CloudWatch investigations ran these queries based on the alarm.
-
For each finding, choose Add to findings or Discard.
When you choose Add to findings, the telemetry is added to the Findings section, and CloudWatch investigations uses this information to direct its further scanning and suggestions.
-
For a CloudWatch Logs Insights query result, to change or edit the query and re-run it, open the context (right-click) menu for the results, and then choose Open in Logs Insights. For more information, see Analyzing log data with CloudWatch Logs Insights.
To run a different query, when you get to the Logs Insights page, choose to use query assist to form a query using natural language. For more information, see Use natural language to generate and update CloudWatch Logs Insights queries.
-
(Optional) If you know of telemetry in another AWS service that might apply to this investigation, go to that service's console and add the telemetry to the investigation.
-
-
CloudWatch investigations might also add hypotheses to the list in the Suggestions tab. These hypotheses are generated by the investigation in natural language.
For each hypothesis, choose Add to findings or Discard.
-
When you think you have completed the investigation and found the root cause of the issue, choose the Overview tab and then choose Investigation summary. CloudWatch investigations then creates a natural-language summary of the important findings and hypotheses from the investigation.
