Use facets to group and explore logs - Amazon CloudWatch Logs
To run a facet-based queryTo save a facet-based queryTo create an account-level facetFacet Management using APIs

Use facets to group and explore logs

Facets are useful for analyzing logs as they allow you to interactively filter and group your data without running queries. A facet is a field in your logs (such as ServiceName or StatusCode) that enables filtering, aggregation and analysis across log groups. You can view the list of faceted fields in the CloudWatch Logs Insights console, along with the count of log events for each facet value based on your selected time range. As you select different facets and values, the facet values and counts are updated in real-time, enabling you to interactively explore your logs.

Each facet shows available values and counts automatically extracted from fields in your logs based on the selected time range and query scope, and retained for 30 days. Facet counts shown are approximate. You can use the default facets such as data source name or data source type to explore your logs, or create custom facets on any of the fields in your logs. Data Source name is an AWS service or application that generates the logs (for example, Route 53, Amazon VPC, or CloudTrail) and Data Source type is the specific type of log generated by that service. Default facets are created by CloudWatch and include @aws.region, @data_source_name, @data_source_type, and @data_format. For more information, see Log management. Facets are only available for logs that are ingested in the account. If you have set up cross account observability, the Monitoring account can not view facets based on logs from source accounts.

To create additional facets, select the fields in your logs that are relevant to your troubleshooting and configure them using the index policies. For custom facets, we recommend creating them on low-cardinality fields (fields having less than 100 unique values per day such as Status and ApplicationName). Facets with more than 100 unique values per day are classified as high-cardinality and values for these facets are not displayed. Select one or more facets and click to run queries across your logs.

To get started with facets in CloudWatch Logs Insights:

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs, Logs Insights.

  3. (Optional) Use the time range selector to select a time period that you want to analyze. For the selected time range, available facets and values are shown in the panel.

  4. Select facets to explore your data and see real-time updates of the value distributions across the facets.

    Facets with more than 100 unique values are not displayed. To query specific values, use filters in your query instead.

To run a facet-based query

  1. Select one or more values across facets.

  2. The event count will update based on the facets and values selected.

  3. As facet values are selected, the query scope is updated to reflect the selection.

  4. After selecting the facets values, click run to execute your query.

  5. The maximum number of unique values supported per facet is 100. For example, if there are more than 100 values for a facet, then all the counts are displayed as "-", indicating that the values are unknown.

To save a facet-based query

  1. Create your query using one or more facet values.

  2. The rest of the steps are the same as saving a Logs Insights query. See Saving CloudWatch Logs Insights queries.

  3. Your saved queries are available in the Saved Queries section. When you retrieve a saved query, it will automatically include the facets and values used for the query, making it easy to analyze your logs.

To create an account-level facet

  1. To create facets, you need to first create the field as an index and configure it as a facet. In the navigation pane, choose Settings, Logs, Account level index policies. Alternatively, you can select Manage facets on the facets panel.

  2. Choose Create new index policy. For details on creating index policies, see Create an account-level field index policy.

  3. To create a facet, check Set as facet for the selected field in the index policy creation page.

Facet Management using APIs

Facet management can be done using the field index policy. See field index APIs for details.

Field Index APIs
No. Name Description
1 PutIndexPolicy Creates or updates a field index policy for the specific log group
2 PutAccountPolicy Creates an account-level data protection policy, subscription filter policy, field index policy, transformer policy, or metric extraction policy that applies to all log groups or a subset of log groups in the account
3 DeleteIndexPolicy Deletes a log-group level field index policy that was applied to a single log group
4 DeleteAccountPolicy Deletes a CloudWatch Logs account policy