Cloudwatch case insensitive like filter

posted on 2021-11-21

For some reason I can't find proper documentation on the AWS cloudwatch log filtering syntax.

They support regex filtering using like /your regex/ but I can't find any documentation on the regex pattern syntax, so let's assume PCRE.

Because of the syntax of cloudwatch query language, we can't apply modifiers outside of the forward-slashes. This leaves us with only being able to use inline modifier.

Examples

Filter all messages with error or exception in them, ignoring case:

fields @timestamp, @message
| filter @message like /(?i)(error|exception)/
| sort @timestamp desc
| limit 20

Filter messages which contain ERROR in all caps, followed http in any case later in the message:

fields @timestamp, @message
| filter @message like /ERROR.*(?i)http/
| sort @timestamp desc
| limit 20