fields @timestamp, @message, requestId
| filter @message like /ERROR/ | sort @timestamp desc | limit 20 ``` Collect candidate `requestId` values, then run focused query. ### Second query for full context ```sql fields @timestamp, @message, requestId | filter requestId = 'abc-123' | sort @timestamp asc ``` This reconstructs full sequence around error event. ### Time-window approximation If correlation key is missing, query by short timestamp range around event. ```sql fields @timestamp, @message | filter @timestamp >= ago(5m) | sort @timestamp asc ``` Less precise but sometimes sufficient. ### Structure logs for better context retrieval Emit consistent structured fields such as `requestId`, `service`, and `stage`. Context retrieval quality depends heavily on logging schema. ### Export and post-process option For advanced context operations, export logs to S3 and use Athena or external tooling where window functions and richer text processing are available. ### Validation and production readiness Create runbook queries for common incident patterns. During outages, predefined context queries reduce diagnosis time significantly. ### Context recovery with log stream and time window When no request ID exists, use log stream plus timestamp bounds around an error event. ```sql fields @timestamp, @logStream, @message | filter @message like /ERROR/ and @message like /payment failed/ | sort @timestamp desc | limit 1 ``` Take the returned stream and time, then run: ```sql fields @timestamp, @message | filter @logStream = 'app-prod/i-0123456789abcdef0' | filter @timestamp >= 1700000000000 and @timestamp <= 1700000008000 | sort @timestamp asc ``` This approximates before and after context for the same stream. ### Automate two-step lookup with SDK For repeated incident workflows, script query chaining. ```python import boto3 logs = boto3.client("logs") # 1. start query for candidate errors # 2. parse top event timestamp and stream # 3. run second query with narrowed window ``` Automating the sequence avoids manual copying during high-pressure incidents. ### Logging design for future context needs If context lookups are frequent, improve emitters to include `requestId`, `traceId`, and stable service fields. This shifts incident response from guesswork to deterministic filtering. Query limitations are easier to handle when log schema is designed for correlation from day one. ### Production checklist and verification loop A reliable implementation needs more than a working snippet. Add a small verification loop that runs in CI and after dependency upgrades. Start with golden examples that represent normal input, boundary input, and one malformed input. Then validate output values, output shape or schema, and failure messages. This catches silent behavior drift early. Document assumptions directly in the code comments near the transformation or query logic. Teams often forget whether behavior is strict, permissive, or backward-compatibility focused. Clear assumptions reduce future refactor risk. For performance-sensitive paths, capture a baseline metric and compare after every change. The metric can be latency, memory use, or throughput depending on workload. Keep benchmark inputs realistic so results are meaningful. Finally, expose observability signals that tell you when this logic starts failing in production. Useful signals include error counts, validation failures, and rate of fallback paths. A short checklist, a few deterministic tests, and lightweight monitoring are usually enough to keep this solution stable as surrounding systems evolve. ## Common Pitfalls * Expecting single Insights query to provide grep-like surrounding line semantics. * Logging unstructured text without correlation identifiers. * Filtering too broadly and losing signal in noisy output. * Relying on timestamp-only matching in high-throughput systems. * Skipping reusable incident query templates. ## Summary * CloudWatch Insights does not natively support line-context operators. * Use correlation IDs and multi-step queries to reconstruct context. * Improve logs with structured fields for traceability. * Use time windows as fallback when IDs are unavailable. * Maintain incident query runbooks for fast operations response.