CloudWatch Logs Insights Query Builder - Visual Logs Insights Query Composer with Syntax Check

First Published:
Last Updated:

Compose CloudWatch Logs Insights queries visually with block-based UI, syntax checks, and AWS CLI command generation.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your query configuration never leaves your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for any differences between the generated queries and actual CloudWatch Logs Insights behavior.
  • This tool does not execute queries. No AWS credentials are requested or used.
  • Syntax checks are static and best-effort; they do not replace the official CloudWatch Logs Insights engine.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Query Builder

Time range (console hint)

Typical console selections: Last 15 minutes / 1 hour / 24 hours / 7 days.
The Logs Insights query text itself does not encode the time range — it is specified at execution time (Console UI or aws logs start-query --start-time --end-time).

Generated Query

AWS CLI command

# Click "Generate CLI Command" to build an `aws logs start-query` command.

Features

  • Block-based UI: Add fields, filter, parse, stats, sort, limit, and display blocks. Reorder with up/down buttons.
  • Field chip input: Type a field, press Enter to add it as a chip. Common @ fields (@timestamp, @message, @duration, etc.) are provided as suggestions.
  • Live serialization: The builder state is continuously serialized into a real Logs Insights query on the right panel.
  • Manual editing: Edit the generated query directly for fine-tuning. A badge indicates when the builder is out of sync. Optionally rebuild the builder from the manually edited query (best-effort parser).
  • Presets: Error log aggregation, Lambda @duration analysis, API Gateway 5xx, VPC Flow Logs REJECT, Top N IP addresses.
  • Syntax checks: Command order warnings (e.g. parse after stats), sort constraints, limit integer range (1–10000), empty fields, pattern format for parse, duplicate fields.
  • AWS CLI generation: Produces an aws logs start-query command with log group name and start/end Unix timestamps.
  • Client-side only: No query execution, no AWS API calls, no data sent anywhere.

How to Use

  1. Click a preset button to load a working query, or start empty and click + fields / + filter / etc. to add blocks.
  2. Configure each block: add fields as chips, add filter conditions, choose aggregation functions, set sort order, set a limit.
  3. Use the and buttons to reorder blocks. The recommended order is fieldsfilterparsestatssortlimit.
  4. Review the generated query on the right. The syntax-check panel shows warnings and errors automatically.
  5. Optionally edit the generated query directly. If you need to bring manual edits back into the builder, click Rebuild Builder from Query.
  6. Fill in the log group name and start/end Unix timestamps, then click Generate CLI Command to build an aws logs start-query command.
  7. Copy the query or CLI command with the copy buttons, and paste it into the CloudWatch Logs Insights console or a terminal.

Important Notes

  • This tool performs static syntax checks only. The authoritative grammar is defined by CloudWatch Logs Insights itself.
  • The query text in Logs Insights does not contain a time range. Specify time range in the console or via --start-time / --end-time.
  • The built-in query parser (used by Rebuild Builder from Query) supports the forms this tool generates. Complex hand-written queries may not round-trip perfectly.
  • pct(field, N) takes two arguments — enter both in the aggregation argument field as @duration, 95.
  • For the filter value field, quote string literals with double quotes ("REPORT") and use slashes for regex patterns (/ERROR/). Numbers can be entered bare (500).
  • The limit maximum in CloudWatch Logs Insights is 10000.
  • The generated AWS CLI command uses single-quoted query strings with POSIX-style shell escaping; adapt as needed for Windows PowerShell or cmd.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi