You might want to search, analyze, and troubleshoot logging output from AWS Lambda functions when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Like most other application logs, Lambda function logging from CloudWatch logs provides valuable information that can be used during an investigation to facilitate answering questions about the functions behavior and health. Use this procedure to search all CloudWatch logs collected for a specific Lambda function.
To optimize the search shown below, you should specify a time range.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search:
index="<AWS index name>" sourcetype="aws:cloudwatchlogs" source="*/aws/lambda/*" source="*<Lambda function name>*"
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="<AWS index name>" sourcetype="aws:cloudwatchlogs"||Search the index(s) where AWS data is stored, filtered to just the AWS Cloudwatch logs.|
source="*<Lambda function name>*"
|Filter results to those associated to a given Lambda function.|
In the search, add additional keywords relevant to the investigation. For instance, adding (error OR fail*) to the search might help uncover problems occurring with the Lambda function.