Skip to content

docs(aws): Removing JSON explanation in the include at match documentation #1007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ViBiOh merged 1 commit into from
Oct 8, 2025
Merged

docs(aws): Removing JSON explanation in the include at match documentation #1007

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions aws/logs_monitoring/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,7 @@ For all configuration options and details, including [Multi-Region deployment][2
[203]: https://docs.datadoghq.com/getting_started/site/#access-the-datadog-site
[204]: https://app.datadoghq.com/organization-settings/api-keys
[205]: https://registry.terraform.io/modules/DataDog/log-lambda-forwarder-datadog/aws/latest#multi-region-deployments

{{% /tab %}}
{{% tab "Manual" %}}

Expand Down Expand Up @@ -553,15 +554,14 @@ Datadog recommends using at least 10 reserved concurrency, but this defaults to
`INCLUDE_AT_MATCH`
: Only send logs matching the supplied regular expression, and not excluded by `EXCLUDE_AT_MATCH`.

Filtering rules are applied to the full JSON-formatted log, including any metadata that is automatically added by the Forwarder. However, transformations applied by [log pipelines][21], which occur after logs are sent to Datadog, cannot be used to filter logs in the Forwarder. Using an inefficient regular expression, such as `.*`, may slow down the Forwarder.
Filtering rules are applied to the log message as read by the forwarder. Using an inefficient regular expression, such as `.*`, may slow down the Forwarder.

Some examples of regular expressions that can be used for log filtering:

- Include (or exclude) Lambda platform logs: `"(START|END) RequestId:\s`. The preceding `"` is needed to match the start of the log message, which is in a JSON blob (`{"message": "START RequestId...."}`). Datadog recommends keeping the `REPORT` logs, as they are used to populate the invocations list in the serverless function views.
- Include (or exclude) Lambda platform logs: `(START|END) RequestId:\s`. Datadog recommends keeping the `REPORT` logs, as they are used to populate the invocations list in the serverless function views.
- Include CloudTrail error messages only: `errorMessage`.
- Include only logs containing an HTTP 4XX or 5XX error code: `\b[4|5][0-9][0-9]\b`.
- Include only CloudWatch logs where the `message` field contains a specific JSON key/value pair: `\"awsRegion\":\"us-east-1\"`.
- The message field of a CloudWatch log event is encoded as a string. For example,`{"awsRegion": "us-east-1"}` is encoded as `{\"awsRegion\":\"us-east-1\"}`. Therefore, the pattern you provide must include `\` escape characters, like this: `\"awsRegion\":\"us-east-1\"`.
- Include only CloudWatch logs where the `message` field contains a specific JSON key/value pair: `"awsRegion":"us-east-1"`.

To test different patterns against your logs, turn on [debug logs](#troubleshooting).

Expand Down