CloudWatch Metric Filter Pattern Tester - Preview Matches and Extracted Values for Log Events

First Published:
Last Updated:

Test CloudWatch Logs metric filter patterns against sample log events and preview both the match result and the extracted field values. Supports the three pattern formats - Plain Text, JSON, and Space-Delimited - so you can iterate on filters without touching the AWS console.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your filter patterns and log events never leave your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for incorrect filter decisions made based on its output.
  • Always validate critical metric filter patterns in a non-production environment before relying on them.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Log format

Plain Text patterns match substrings in each log line.

Whitespace-separated terms are combined with AND. Wrap a phrase with "..." to match it literally. Prefix with - to exclude a term, and with ? to treat the term as an OR alternative (at least one ? term must match).

Example: ERROR -INFO or ?ERROR ?Exception

JSON patterns are wrapped in { ... } and evaluate property selectors against parsed JSON log events.

Selectors use the $.path.to[0].field form. Supported operators: =, !=, >, <, >=, <=, plus IS NULL and NOT EXISTS. Combine with && / || and optional parentheses. Use * in string values for wildcard matching.

Example: { $.level = "ERROR" && $.latency > 1000 }

Space-Delimited patterns declare a list of field names in brackets, e.g. [ip, id, user, timestamp, request, status_code, bytes].

Add conditions such as status_code = 5*, bytes > 1000, or status_code != 200 to filter rows. Use ... anywhere in the field list to match zero or more tokens, e.g. [ip, ..., status_code = 200, bytes].

Log tokens are split on whitespace; "..." and [...] groupings are kept together (Apache combined log format friendly).

Load a preset for the selected format
One metric filter pattern in the syntax of the selected log format.
One log event per line. For JSON, also accepts a single JSON array of events.

Features

  • Three Pattern Formats: Plain Text, JSON, and Space-Delimited are implemented in a single tool so you can compare behavior across formats.
  • Batch Testing: Paste many log events and see per-event Match / No Match plus the extracted fields in a single table.
  • Failure Reasons: Every "No Match" row reports the exact term or selector that caused the mismatch.
  • Field Extraction Preview: For JSON and Space-Delimited patterns, see the resolved value of each referenced field - useful when designing a metric_value expression later.
  • Presets per Format: One-click examples for common cases such as ERROR -INFO, { $.level = "ERROR" && $.latency > 1000 }, and Apache 5xx filtering.
  • Privacy: Everything runs locally in your browser. No log data is sent anywhere.

How to Use

  1. Pick the log format tab that matches your logs: Plain Text, JSON, or Space-Delimited.
  2. Click a preset to load a ready-to-run example, or type your own pattern in the left textarea.
  3. Paste your log events in the right textarea (one per line). JSON format also accepts a single JSON array.
  4. Click Test Pattern. The summary shows totals; each row in the results table shows Match / No Match, the failure reason, and any extracted fields.
  5. Expand View raw log on any row to inspect the original event, or use Copy Results to grab a plain-text summary.

Important Notes

  • Out of scope (MVP): Subscription filter variants, metric_value extraction and the actual CloudWatch Metrics emission, and count / sum aggregation simulation are not implemented.
  • JSON selectors: Indexing is zero-based ($.items[0].id) and key names may include letters, digits, _, and -. Numeric comparisons require numeric JSON values on both sides.
  • Plain Text: Matching is substring-based and case-sensitive, mirroring the CloudWatch Logs Filter and Pattern Syntax documentation.
  • Space-Delimited: Log tokens are split on whitespace; "..." and [...] groups are treated as a single token. The ... placeholder greedily skips tokens until the remaining fields can align.
  • Wildcard: Only the * character acts as a wildcard in string comparisons. Other characters are matched literally.
  • Best effort: This tool implements the documented CloudWatch Logs metric filter syntax but does not guarantee full parity with the AWS service for every undocumented edge case. Validate critical filters in the AWS console before relying on them in production.
  • Evaluation trigger: Matching runs on the Test Pattern button rather than live-as-you-type, to keep typing responsive when working with long log sets or complex patterns.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi