Best Practices for Pushing JSON Format Logs to AWS CloudWatch Log Group
Question
A web application is pushing its logs to a CloudWatch Log Group.
The logs are in JSON format.
A log example is as below:
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer : A.
Option A is CORRECT because the filter pattern { $.errorCode = "AccessDenied" } can be used to check if the "errorCode" in the JSON message is "AccessDenied"
Metric Value is the value published to the metric when a match occurs.
So the Metric Value should be 1.
Option B is incorrect because Default Value is published to the metric when the pattern does not match.
In this case, you should configure the Metric Value rather than the Default Value.
Option C is incorrect because Metric Value should be a number.
The Filter Pattern is also incorrect for the JSON log events.
Option D is incorrect because it should use Metric Value instead of Default Value in order to increase the count in the CloudWatch metric.
Reference:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.htmlThe question is asking how to set up a CloudWatch metric filter for a log group that contains JSON format logs, with an example log that contains an "errorCode" field.
A CloudWatch metric filter is used to extract data from CloudWatch logs and create CloudWatch metrics. The filter uses a pattern to search for and extract data from the logs. The metric filter can be used to count the number of times a specific pattern occurs in the logs, and create a CloudWatch metric based on that count.
Option A: Filter Pattern: { $.errorCode = "AccessDenied" } Metric Value: 1
This filter pattern is incorrect because the "=" operator is used instead of the "==" operator. The correct operator for equality comparison in JSON is "==". Additionally, the metric value of 1 means that a metric will be created with a constant value of 1 for each log entry that matches the filter pattern. This option will not count the number of times the pattern occurs.
Option B: Filter Pattern: { $.errorCode == "AccessDenied" } Default Value: 1
This filter pattern is correct because it uses the "==" operator to compare the "errorCode" field with the string "AccessDenied". The default value of 1 means that a metric will be created with a value of 1 for each log entry that matches the filter pattern. This option will count the number of times the pattern occurs.
Option C: Filter Pattern: { errorCode == "AccessDenied" } Metric Value: +1
This filter pattern is incorrect because it is missing the "$." at the beginning of the pattern. The "$." is used to specify that the pattern should be applied to the entire log entry. Without the "$.", the filter pattern will only match the "errorCode" field and not the entire log entry. Additionally, the metric value of "+1" means that a metric will be created with a value of +1 for each log entry that matches the filter pattern. This option will not count the number of times the pattern occurs.
Option D: Filter Pattern: { errorCode = "AccessDenied" } Default Value: +1
This filter pattern is incorrect because it uses the "=" operator instead of the "==" operator. Additionally, the filter pattern is missing the "$." at the beginning of the pattern, which means it will only match the "errorCode" field and not the entire log entry. The default value of +1 means that a metric will be created with a constant value of +1 for each log entry that matches the filter pattern. This option will not count the number of times the pattern occurs.
Therefore, the correct answer is option B: Filter Pattern: { $.errorCode == "AccessDenied" }, Default Value: 1.
