CloudWatch Logs Insights query builder

Form-driven query generator for VPC Flow Logs, CloudTrail, and Lambda log groups. Handles CIDR-to-regex conversion, generates AWS Console deeplinks, and runs entirely in your browser — no AWS credentials required.

⚠ Disclaimer This tool is provided as-is, for educational and planning purposes only. Generated queries are starting points — always review for correctness, test against a narrow time window first, and use parameter placeholders in production code. The Tech Space makes no warranty and accepts no liability. Full disclaimer →

Query preset

VPC Flow Log: traffic to a host

Show recent flows destined for a specific host (or CIDR range). Use this when investigating reachability or who's hitting a service.

Log type: VPC Flow Log Output: Raw rows

Filters

Generated query

CloudWatch Logs Insights

Open in AWS Console (optional)

Fill in your log group name and AWS region to generate a one-click deeplink that pre-loads the query in CloudWatch Logs Insights.

Log group name e.g. /aws/vpc/flowlogs/main

Region

Time range

Open in AWS Console →

Note The console deeplink format is undocumented and may break with AWS console updates. If the link doesn't pre-populate the query correctly, copy it manually from the box above.

Notes & tips

Quick reference

IP / CIDR input formats

10.0.0.5 — single IP: srcAddr = "10.0.0.5"
10.0.0.5, 10.0.0.10, 10.0.0.20 — multiple IPs: srcAddr in ["10.0.0.5","10.0.0.10","10.0.0.20"]
10.0.0.0/24 — CIDR: srcAddr like /^10\.0\.0\./
10.0.0.0/16 — srcAddr like /^10\.0\./
10.0.0.0/8 — srcAddr like /^10\./
Mixed list (IPs + CIDRs): (srcAddr in […] or srcAddr like /pat/)
Non-aligned (e.g. /25, /22) — widened to the containing byte boundary with a warning.

Port input formats

443 — single: dstPort = 443
443, 8443 — multiple: dstPort in [443,8443]
8000-8100 — range: (dstPort >= 8000 and dstPort <= 8100)
443, 8000-8100, 9000 — mixed: (dstPort in [443,9000] or (dstPort >= 8000 and dstPort <= 8100))

Protocol numbers

1 — ICMP ping, traceroute
6 — TCP most application traffic
17 — UDP DNS, RTP, syslog
47 — GRE tunneling
50 — ESP IPsec encrypted

Limits to know

Max log groups per query: 50
Max query duration: 15 minutes
Max returned rows: 10,000
Concurrent queries per account: 30
Pricing: ~$0.005 per GB scanned (varies by region) — narrower time ranges and targeted filters save money

Filter syntax cheats

filter ispresent(field) — equivalent to "IS NOT NULL"
filter field in ["a","b","c"] — multi-value membership
filter field like /regex/ — regex match (dots must be escaped \.)
filter (a or b) — multiple filter lines AND together; use or in one line for OR
Field names are case-sensitive: srcAddr not srcaddr