Cloudwatch logs "AND NOT" search

Question

I'm searching Cloudwatch log events for errors with the following criteria:

?"error" ?"ERROR" ?"Error:"

How can I exclude specific terms from the result? For example, if I don't care about specific_error, how can I specify not to match on it?

I'm expecting to be able to do something like:

(?"error" AND -"specific_error") ?"ERROR" ?"Error:"

Answer 1

In the CloudWatch console, this can be accomplished with the - operand before the term you wish to exclude:

"error" -"something minor happened"

This is from the AWS docs for "Matching terms in log events".

Similarly, using aws logs tail, you can pass this to the --filter-pattern argument:

$ aws logs tail --format short /aws/lambda/my_lambda --filter-pattern '"error" -"something minor happened"' --since 3h

2021-07-09T19:28:47 error:   something bad happened
2021-07-09T19:28:51 error:   something bad happened
2021-07-09T19:29:52 error:   something REALLY bad happened
2021-07-09T19:30:15 error:   something CATASTROPHIC happened! Aiee!
2021-07-09T19:30:36 error:   something bad happened