Amazon CloudWatch Logs
User Guide

Example: Extract Bytes Transferred from an Apache Log

Sometimes, instead of counting, it is helpful to use values within individual log events for metric values. This example shows how you can create an extraction rule to create a metric that measures the bytes transferred by an Apache webserver.

This extraction rule matches the seven fields of the log event. The metric value is the value of the seventh matched token. You can see the reference to the token as "$7" in the metricValue field of the extraction rule.

To create a metric filter using the CloudWatch console

  1. Open the CloudWatch console at

  2. If necessary, change the region. From the navigation bar, select the region that meets your needs. For more information, see Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, click Logs.

  4. In the contents pane, select a log group, and then click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, in the Filter Pattern field, enter [ip, id, user, timestamp, request, status_code, size].

  6. To test your filter pattern, in the Select Log Data to Test list, select the log group you want to test the metric filter against, and then click Test Pattern.

  7. Under Results, CloudWatch Logs displays a message showing how many occurrences of the filter pattern were found in the log file.


    To see detailed results, click Show test results.

  8. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name field, enter size.

  9. Under Metric Details, in the Metric Namespace field, enter YourNameSpace.

  10. In the Metric Name field, enter BytesTransferred

  11. In the Metric Value field, enter $size, and then click Create Filter.


    If the Metric Value field isn't visible, click Show advanced metric settings.

To create a metric filter using the AWS CLI

  • At a command prompt, remove the backslashes (\) and type this all on one line:

    % aws logs put-metric-filter \
    --log-group-name MyApp/access.log \
    --filter-name BytesTransferred \
    --filter-pattern '[ip, id, user, timestamp, request, status_code=4*, size]' \
    --metric-transformations \

You can use the following data in put-log-event calls to test this rule. This generates two different metrics if you did not remove monitoring rule in the previous example. - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 404 287 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 404 287 - - [24/Sep/2013:11:50:51 -0700] "GET /~test/ HTTP/1.1" 200 3 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 404 308 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 404 308 - - [24/Sep/2013:11:51:34 -0700] "GET /~test/index.html HTTP/1.1" 200 3