Amazon CloudWatch Logs
User Guide

Example: Counting Log Events

The simplest type of log event monitoring is to count the number of log events that occur. You might want to do this to keep a count of all events, to create a "heartbeat" style monitor or just to practice creating metric filters.

In the following CLI example, a metric filter called MyAppAccessCount is applied to the log group MyApp/access.log to create the metric EventCount in the CloudWatch namespace YourNamespace. The filter is configured to match any log event content and to increment the metric by "1".

To create a metric filter using the CloudWatch console

  1. Open the CloudWatch console at

  2. If necessary, change the region. From the navigation bar, select the region that meets your needs. For more information, see Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, click Logs.

  4. In the contents pane, select a log group, and then click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, leave the Filter Pattern field blank.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name field, enter MyAppAccessCount.

  7. Under Metric Details, in the Metric Namespace field, enter YourNameSpace.

  8. In the Metric Name field, enter MyAppAccessEventCount, and then click Create Filter.

To create a metric filter using the AWS CLI

  • At a command prompt, remove the backslashes (\) and type this all on one line:

    % aws logs put-metric-filter \
      --log-group-name MyApp/access.log \
      --filter-name MyAppAccessCount \
      --filter-pattern "" \
      --metric-transformations \

You can test this new policy by posting any event data. You should see two data points published to the metric EventCount.

To post event data using the AWS CLI

  • At a command prompt, remove the backslashes (\) and type this all on one line:

    % aws logs put-log-events \
      --log-group-name MyApp/access.log --log-stream-name TestStream1 \
      --log-events \
        timestamp=1394793518000,message="Test event 1" \
        timestamp=1394793518000,message="Test event 2"
        timestamp=1394793528000,message="This message also contains an Error"