Associates the specified KMS key with the specified log - * group.
- *Associating a KMS key with a log group overrides any existing + *
Associates the specified KMS key with either one log group in the account, or with all stored + * CloudWatch Logs query insights results in the account.
+ *When you use AssociateKmsKey, you specify either the logGroupName parameter
+ * or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.
Specify the logGroupName parameter to cause all log events stored in the log group to
+ * be encrypted with that key. Only the log events ingested after the key is associated are encrypted with that key.
Associating a KMS key with a log group overrides any existing * associations between the log group and a KMS key. After a KMS key is associated with a log group, all newly ingested data for the log group is encrypted * using the KMS key. This association is stored as long as the data encrypted - * with the KMS keyis still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.
+ * with the KMS key is still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested. + *Associating
+ * a key with a log group does not cause the results of queries of that log group to be encrypted with that key. To have query
+ * results encrypted with a KMS key, you must use an AssociateKmsKey operation with the resourceIdentifier
+ * parameter that specifies a query-result resource.
Specify the resourceIdentifier parameter with a query-result resource,
+ * to use that key to encrypt the stored results of all future
+ * StartQuery
+ * operations in the account. The response from a
+ * GetQueryResults
+ * operation will still return
+ * the query results in plain text.
Even if you have not associated a key with your query results, the query results are encrypted when stored, + * using the default CloudWatch Logs method.
+ *If you run a query from a monitoring account that queries logs in a source account, the + * query results key from the monitoring account, if any, is used.
+ *If you delete the key that is used to encrypt log events or log group query results, + * then all the associated stored log events or query results that were encrypted with that key + * will be unencryptable and unusable.
+ *CloudWatch Logs supports only symmetric KMS keys. Do not use an associate - * an asymmetric KMS key with your log group. For more information, see Using + * an asymmetric KMS key with your log group or query results. For more information, see Using * Symmetric and Asymmetric Keys.
- * + *It can take up to 5 minutes for this operation to take effect.
*If you attempt to associate a KMS key with a log group but the KMS key does not exist or the KMS key is disabled, you receive an
* InvalidParameterException error.
Disassociates the associated KMS key from the specified log - * group.
- *After the KMS key is disassociated from the log group, CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data - * remains encrypted, and CloudWatch Logs requires permissions for the KMS key - * whenever the encrypted data is requested.
- *Note that it can take up to 5 minutes for this operation to take effect.
+ *Disassociates the specified KMS key from the specified log + * group or from all CloudWatch Logs Insights query results in the account.
+ *When you use DisassociateKmsKey, you specify either the logGroupName parameter
+ * or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.
Specify the logGroupName parameter to stop using the KMS key
+ * to encrypt future log events ingested and stored in the log group. Instead, they will be
+ * encrypted with the default CloudWatch Logs method. The log events that were ingested
+ * while the key was associated with the log group are still encrypted with that key.
+ * Therefore, CloudWatch Logs will need permissions for the key whenever that data is
+ * accessed.
Specify the resourceIdentifier parameter with the query-result
+ * resource to stop using the KMS key to encrypt the results of all
+ * future StartQuery
+ * operations in the account. They will instead be encrypted with the default CloudWatch Logs method. The results from queries that ran while the key was associated with
+ * the account are still encrypted with that key. Therefore, CloudWatch Logs will need
+ * permissions for the key whenever that data is accessed.
It can take up to 5 minutes for this operation to take effect.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -49,7 +66,8 @@ export interface DisassociateKmsKeyCommandOutput extends __MetadataBearer {} * // const { CloudWatchLogsClient, DisassociateKmsKeyCommand } = require("@aws-sdk/client-cloudwatch-logs"); // CommonJS import * const client = new CloudWatchLogsClient(config); * const input = { // DisassociateKmsKeyRequest - * logGroupName: "STRING_VALUE", // required + * logGroupName: "STRING_VALUE", + * resourceIdentifier: "STRING_VALUE", * }; * const command = new DisassociateKmsKeyCommand(input); * const response = await client.send(command); diff --git a/clients/client-cloudwatch-logs/src/commands/GetQueryResultsCommand.ts b/clients/client-cloudwatch-logs/src/commands/GetQueryResultsCommand.ts index 2cc59d97e529..4ff144666632 100644 --- a/clients/client-cloudwatch-logs/src/commands/GetQueryResultsCommand.ts +++ b/clients/client-cloudwatch-logs/src/commands/GetQueryResultsCommand.ts @@ -75,6 +75,7 @@ export interface GetQueryResultsCommandOutput extends GetQueryResultsResponse, _ * // bytesScanned: Number("double"), * // }, * // status: "Scheduled" || "Running" || "Complete" || "Failed" || "Cancelled" || "Timeout" || "Unknown", + * // encryptionKey: "STRING_VALUE", * // }; * * ``` diff --git a/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts b/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts index d9caf9ac613b..f53c97176dd5 100644 --- a/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts +++ b/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts @@ -48,7 +48,8 @@ export interface PutSubscriptionFilterCommandOutput extends __MetadataBearer {} * filter, for same-account delivery. * *A logical destination that belongs to a different account, for cross-account delivery.
+ *A logical destination created with PutDestination that belongs to a different account, for cross-account delivery. + * We currently support Kinesis Data Streams and Kinesis Data Firehose as logical destinations.
*An Amazon Kinesis Data Firehose delivery stream that belongs to the same account as diff --git a/clients/client-cloudwatch-logs/src/commands/StartQueryCommand.ts b/clients/client-cloudwatch-logs/src/commands/StartQueryCommand.ts index 035a3104899e..9324e382d1e8 100644 --- a/clients/client-cloudwatch-logs/src/commands/StartQueryCommand.ts +++ b/clients/client-cloudwatch-logs/src/commands/StartQueryCommand.ts @@ -39,6 +39,15 @@ export interface StartQueryCommandOutput extends StartQueryResponse, __MetadataB *
Schedules a query of a log group using CloudWatch Logs Insights. You specify the log group * and time range to query and the query string to use.
*For more information, see CloudWatch Logs Insights Query Syntax.
+ *After you run a query using StartQuery, the query results are stored by CloudWatch Logs.
+ * You can use GetQueryResults to retrieve
+ * the results of a query, using the queryId that StartQuery returns.
+ *
If you have associated a KMS key with the query results in this account, + * then + * StartQuery uses that key to + * encrypt the results when it stores them. If no key is associated with query results, the query results are + * encrypted with the default CloudWatch Logs encryption method.
*Queries time out after 60 minutes of runtime. If your queries are timing out, reduce the * time range being searched or partition your query into a number of queries.
*If you are using CloudWatch cross-account observability, you can use this operation in a diff --git a/clients/client-cloudwatch-logs/src/models/models_0.ts b/clients/client-cloudwatch-logs/src/models/models_0.ts index 8174754b0ef9..2be7a4247f71 100644 --- a/clients/client-cloudwatch-logs/src/models/models_0.ts +++ b/clients/client-cloudwatch-logs/src/models/models_0.ts @@ -72,8 +72,11 @@ export interface AccountPolicy { export interface AssociateKmsKeyRequest { /** *
The name of the log group.
+ *In your AssociateKmsKey operation,
+ * you must specify either the resourceIdentifier parameter or the logGroup parameter,
+ * but you can't specify both.
The Amazon Resource Name (ARN) of the KMS key to use when encrypting log @@ -81,6 +84,35 @@ export interface AssociateKmsKeyRequest { * Keys.
*/ kmsKeyId: string | undefined; + + /** + *Specifies the target for this operation. You must specify one of the following:
+ *Specify the following ARN to have future GetQueryResults + * operations in this account encrypt the results + * with the specified KMS key. Replace + * REGION and ACCOUNT_ID with your Region and account ID.
+ *
+ * arn:aws:logs:REGION:ACCOUNT_ID:query-result:*
+ *
Specify the ARN of a log group to have CloudWatch Logs use the KMS key + * to encrypt log events that are ingested and stored by that log group. The log group ARN must be in + * the following format. Replace + * REGION and ACCOUNT_ID with your Region and account ID.
+ *
+ * arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME
+ *
+ *
In your AssociateKmsKey operation,
+ * you must specify either the resourceIdentifier parameter or the logGroup parameter,
+ * but you can't specify both.
The name of the log group.
+ *In your DisassociateKmsKey operation,
+ * you must specify either the resourceIdentifier parameter or the logGroup parameter,
+ * but you can't specify both.
Specifies the target for this operation. You must specify one of the following:
+ *Specify the ARN of a log group to stop having CloudWatch Logs use the KMS key + * to encrypt log events that are ingested and stored by that log group. After you run this operation, CloudWatch Logs + * encrypts ingested log events with the default CloudWatch Logs method. The log group ARN must be in + * the following format. Replace + * REGION and ACCOUNT_ID with your Region and account ID.
+ *
+ * arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME
+ *
+ *
Specify the following ARN to stop using this key to encrypt the results of future StartQuery + * operations in this account. Replace + * REGION and ACCOUNT_ID with your Region and account ID.
+ *
+ * arn:aws:logs:REGION:ACCOUNT_ID:query-result:*
+ *
In your DisssociateKmsKey operation,
+ * you must specify either the resourceIdentifier parameter or the logGroup parameter,
+ * but you can't specify both.
The time to set as the center of the query. If you specify time, the 15
- * minutes before this time are queries. If you omit time, the 8 minutes before and
- * 8 minutes after this time are searched.
The time to set as the center of the query. If you specify time, the 8 minutes before and
+ * 8 minutes after this time are searched. If you omit time, the most recent 15 minutes
+ * up to the current time are searched.
The time value is specified as epoch time, which is the number of seconds
* since January 1, 1970, 00:00:00 UTC.
Includes the number of log events scanned by the query, the number of log events that matched the - * query criteria, and the total number of bytes in the log events that were scanned. These values - * reflect the full raw results of the query.
+ *Includes the number of log events scanned by the query, the number of log events that + * matched the query criteria, and the total number of bytes in the scanned log events. These + * values reflect the full raw results of the query.
*/ statistics?: QueryStatistics; @@ -2077,6 +2141,14 @@ export interface GetQueryResultsResponse { * reduce the time range being searched or partition your query into a number of queries. */ status?: QueryStatus | string; + + /** + *If you associated an KMS key with the CloudWatch Logs Insights + * query results in this account, this field displays the ARN of the key that's used to encrypt + * the query results when StartQuery stores + * them.
+ */ + encryptionKey?: string; } /** @@ -2231,9 +2303,9 @@ export interface PutAccountPolicyRequest { policyType: PolicyType | string | undefined; /** - *Currently the only valid value for this parameter is GLOBAL, which specifies that the data
+ *
Currently the only valid value for this parameter is ALL, which specifies that the data
* protection policy applies to all log groups in the account. If you omit this parameter, the default
- * of GLOBAL is used.
ALL is used.
*/
scope?: Scope | string;
}
@@ -2766,10 +2838,9 @@ export interface StartQueryRequest {
/**
* The log group on which to perform the query.
*A StartQuery operation must include exactly one
- * of the following parameters:
- * logGroupName, logGroupNames or logGroupIdentifiers.
- *
A StartQuery operation must include exactly one of the following
+ * parameters: logGroupName, logGroupNames, or
+ * logGroupIdentifiers.
The list of log groups to be queried. You can include up to 50 log groups.
*A StartQuery operation must include exactly one
- * of the following parameters:
- * logGroupName, logGroupNames or logGroupIdentifiers.
- *
A StartQuery operation must include exactly one of the following
+ * parameters: logGroupName, logGroupNames, or
+ * logGroupIdentifiers.
If you specify an ARN, the ARN can't end with an asterisk (*).
- *A StartQuery operation must include exactly one
- * of the following parameters:
- * logGroupName, logGroupNames or logGroupIdentifiers.
- *
A StartQuery operation must include exactly one of the following parameters:
+ * logGroupName, logGroupNames, or logGroupIdentifiers.
Associates the specified KMS key with the specified log\n group.
\nAssociating a KMS key with a log group overrides any existing\n associations between the log group and a KMS key. After a KMS key is associated with a log group, all newly ingested data for the log group is encrypted\n using the KMS key. This association is stored as long as the data encrypted\n with the KMS keyis still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.
\nCloudWatch Logs supports only symmetric KMS keys. Do not use an associate\n an asymmetric KMS key with your log group. For more information, see Using\n Symmetric and Asymmetric Keys.
\nIt can take up to 5 minutes for this operation to take effect.
\nIf you attempt to associate a KMS key with a log group but the KMS key does not exist or the KMS key is disabled, you receive an\n InvalidParameterException error.
Associates the specified KMS key with either one log group in the account, or with all stored\n CloudWatch Logs query insights results in the account.
\nWhen you use AssociateKmsKey, you specify either the logGroupName parameter\n or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.
Specify the logGroupName parameter to cause all log events stored in the log group to\n be encrypted with that key. Only the log events ingested after the key is associated are encrypted with that key.
Associating a KMS key with a log group overrides any existing\n associations between the log group and a KMS key. After a KMS key is associated with a log group, all newly ingested data for the log group is encrypted\n using the KMS key. This association is stored as long as the data encrypted\n with the KMS key is still within CloudWatch Logs. This enables CloudWatch Logs to decrypt this data whenever it is requested.
\nAssociating\n a key with a log group does not cause the results of queries of that log group to be encrypted with that key. To have query\n results encrypted with a KMS key, you must use an AssociateKmsKey operation with the resourceIdentifier\n parameter that specifies a query-result resource.
Specify the resourceIdentifier parameter with a query-result resource, \n to use that key to encrypt the stored results of all future \n StartQuery\n operations in the account. The response from a \n GetQueryResults\n operation will still return\n the query results in plain text.
Even if you have not associated a key with your query results, the query results are encrypted when stored,\n using the default CloudWatch Logs method.
\nIf you run a query from a monitoring account that queries logs in a source account, the\n query results key from the monitoring account, if any, is used.
\nIf you delete the key that is used to encrypt log events or log group query results,\n then all the associated stored log events or query results that were encrypted with that key \n will be unencryptable and unusable.
\nCloudWatch Logs supports only symmetric KMS keys. Do not use an associate\n an asymmetric KMS key with your log group or query results. For more information, see Using\n Symmetric and Asymmetric Keys.
\nIt can take up to 5 minutes for this operation to take effect.
\nIf you attempt to associate a KMS key with a log group but the KMS key does not exist or the KMS key is disabled, you receive an\n InvalidParameterException error.
The name of the log group.
", - "smithy.api#required": {} + "smithy.api#documentation": "The name of the log group.
\nIn your AssociateKmsKey operation,\n you must specify either the resourceIdentifier parameter or the logGroup parameter, \n but you can't specify both.
The Amazon Resource Name (ARN) of the KMS key to use when encrypting log\n data. This must be a symmetric KMS key. For more information, see Amazon Resource Names and Using Symmetric and Asymmetric\n Keys.
", "smithy.api#required": {} } + }, + "resourceIdentifier": { + "target": "com.amazonaws.cloudwatchlogs#ResourceIdentifier", + "traits": { + "smithy.api#documentation": "Specifies the target for this operation. You must specify one of the following:
\nSpecify the following ARN to have future GetQueryResults\n operations in this account encrypt the results\n with the specified KMS key. Replace\n REGION and ACCOUNT_ID with your Region and account ID.
\n\n arn:aws:logs:REGION:ACCOUNT_ID:query-result:*\n
Specify the ARN of a log group to have CloudWatch Logs use the KMS key\n to encrypt log events that are ingested and stored by that log group. The log group ARN must be in \n the following format. Replace\n REGION and ACCOUNT_ID with your Region and account ID.
\n\n arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME\n \n
In your AssociateKmsKey operation,\n you must specify either the resourceIdentifier parameter or the logGroup parameter, \n but you can't specify both.
Disassociates the associated KMS key from the specified log\n group.
\nAfter the KMS key is disassociated from the log group, CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data\n remains encrypted, and CloudWatch Logs requires permissions for the KMS key\n whenever the encrypted data is requested.
\nNote that it can take up to 5 minutes for this operation to take effect.
" + "smithy.api#documentation": "Disassociates the specified KMS key from the specified log\n group or from all CloudWatch Logs Insights query results in the account.
\nWhen you use DisassociateKmsKey, you specify either the logGroupName parameter\n or the resourceIdentifier parameter. You can't specify both of those parameters in the same operation.
Specify the logGroupName parameter to stop using the KMS key\n to encrypt future log events ingested and stored in the log group. Instead, they will be\n encrypted with the default CloudWatch Logs method. The log events that were ingested\n while the key was associated with the log group are still encrypted with that key.\n Therefore, CloudWatch Logs will need permissions for the key whenever that data is\n accessed.
Specify the resourceIdentifier parameter with the query-result\n resource to stop using the KMS key to encrypt the results of all\n future StartQuery\n operations in the account. They will instead be encrypted with the default CloudWatch Logs method. The results from queries that ran while the key was associated with\n the account are still encrypted with that key. Therefore, CloudWatch Logs will need\n permissions for the key whenever that data is accessed.
It can take up to 5 minutes for this operation to take effect.
" } }, "com.amazonaws.cloudwatchlogs#DisassociateKmsKeyRequest": { @@ -1808,8 +1813,13 @@ "logGroupName": { "target": "com.amazonaws.cloudwatchlogs#LogGroupName", "traits": { - "smithy.api#documentation": "The name of the log group.
", - "smithy.api#required": {} + "smithy.api#documentation": "The name of the log group.
\nIn your DisassociateKmsKey operation,\n you must specify either the resourceIdentifier parameter or the logGroup parameter, \n but you can't specify both.
Specifies the target for this operation. You must specify one of the following:
\nSpecify the ARN of a log group to stop having CloudWatch Logs use the KMS key\n to encrypt log events that are ingested and stored by that log group. After you run this operation, CloudWatch Logs\n encrypts ingested log events with the default CloudWatch Logs method. The log group ARN must be in \n the following format. Replace\n REGION and ACCOUNT_ID with your Region and account ID.
\n\n arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME\n \n
Specify the following ARN to stop using this key to encrypt the results of future StartQuery\n operations in this account. Replace\n REGION and ACCOUNT_ID with your Region and account ID.
\n\n arn:aws:logs:REGION:ACCOUNT_ID:query-result:*\n
In your DisssociateKmsKey operation,\n you must specify either the resourceIdentifier parameter or the logGroup parameter, \n but you can't specify both.
The method used to distribute log data to the destination, which can be either\n random or grouped by log stream.
" } }, + "com.amazonaws.cloudwatchlogs#EncryptionKey": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 256 + } + } + }, "com.amazonaws.cloudwatchlogs#EventId": { "type": "string" }, @@ -2483,7 +2502,7 @@ "time": { "target": "com.amazonaws.cloudwatchlogs#Timestamp", "traits": { - "smithy.api#documentation": "The time to set as the center of the query. If you specify time, the 15\n minutes before this time are queries. If you omit time, the 8 minutes before and\n 8 minutes after this time are searched.
The time value is specified as epoch time, which is the number of seconds\n since January 1, 1970, 00:00:00 UTC.
The time to set as the center of the query. If you specify time, the 8 minutes before and\n 8 minutes after this time are searched. If you omit time, the most recent 15 minutes\n up to the current time are searched.
The time value is specified as epoch time, which is the number of seconds\n since January 1, 1970, 00:00:00 UTC.
Includes the number of log events scanned by the query, the number of log events that matched the \n query criteria, and the total number of bytes in the log events that were scanned. These values\n reflect the full raw results of the query.
" + "smithy.api#documentation": "Includes the number of log events scanned by the query, the number of log events that\n matched the query criteria, and the total number of bytes in the scanned log events. These\n values reflect the full raw results of the query.
" } }, "status": { @@ -2631,6 +2650,12 @@ "traits": { "smithy.api#documentation": "The status of the most recent running of the query. Possible values are Cancelled, \n Complete, Failed, Running, Scheduled, \n Timeout, and Unknown.
Queries time out after 60 minutes of runtime. To avoid having your queries time out,\n reduce the time range being searched or partition your query into a number of queries.
" } + }, + "encryptionKey": { + "target": "com.amazonaws.cloudwatchlogs#EncryptionKey", + "traits": { + "smithy.api#documentation": "If you associated an KMS key with the CloudWatch Logs Insights\n query results in this account, this field displays the ARN of the key that's used to encrypt\n the query results when StartQuery stores\n them.
" + } } }, "traits": { @@ -4684,7 +4709,7 @@ "scope": { "target": "com.amazonaws.cloudwatchlogs#Scope", "traits": { - "smithy.api#documentation": "Currently the only valid value for this parameter is GLOBAL, which specifies that the data \n protection policy applies to all log groups in the account. If you omit this parameter, the default\n of GLOBAL is used.
Currently the only valid value for this parameter is ALL, which specifies that the data \n protection policy applies to all log groups in the account. If you omit this parameter, the default\n of ALL is used.
Creates or updates a subscription filter and associates it with the specified log\n group. With subscription filters, you can subscribe to a real-time stream of log events\n ingested through PutLogEvents\n and have them delivered to a specific destination. When log events are sent to the receiving\n service, they are Base64 encoded and compressed with the GZIP format.
\nThe following destinations are supported for subscription filters:
\nAn Amazon Kinesis data stream belonging to the same account as the subscription\n filter, for same-account delivery.
\nA logical destination that belongs to a different account, for cross-account delivery.
\nAn Amazon Kinesis Data Firehose delivery stream that belongs to the same account as\n the subscription filter, for same-account delivery.
\nAn Lambda function that belongs to the same account as the\n subscription filter, for same-account delivery.
\nEach log group can have up to two subscription filters associated with it. If you are\n updating an existing filter, you must specify the correct name in filterName.\n
To perform a PutSubscriptionFilter operation for any destination except a Lambda function, \n you must also have the \n iam:PassRole permission.
Creates or updates a subscription filter and associates it with the specified log\n group. With subscription filters, you can subscribe to a real-time stream of log events\n ingested through PutLogEvents\n and have them delivered to a specific destination. When log events are sent to the receiving\n service, they are Base64 encoded and compressed with the GZIP format.
\nThe following destinations are supported for subscription filters:
\nAn Amazon Kinesis data stream belonging to the same account as the subscription\n filter, for same-account delivery.
\nA logical destination created with PutDestination that belongs to a different account, for cross-account delivery.\n We currently support Kinesis Data Streams and Kinesis Data Firehose as logical destinations.
\nAn Amazon Kinesis Data Firehose delivery stream that belongs to the same account as\n the subscription filter, for same-account delivery.
\nAn Lambda function that belongs to the same account as the\n subscription filter, for same-account delivery.
\nEach log group can have up to two subscription filters associated with it. If you are\n updating an existing filter, you must specify the correct name in filterName.\n
To perform a PutSubscriptionFilter operation for any destination except a Lambda function, \n you must also have the \n iam:PassRole permission.
Schedules a query of a log group using CloudWatch Logs Insights. You specify the log group\n and time range to query and the query string to use.
\nFor more information, see CloudWatch Logs Insights Query Syntax.
\nQueries time out after 60 minutes of runtime. If your queries are timing out, reduce the\n time range being searched or partition your query into a number of queries.
\nIf you are using CloudWatch cross-account observability, you can use this operation in a\n monitoring account to start a query in a linked source account. For more information, see\n CloudWatch\n cross-account observability. For a cross-account StartQuery operation,\n the query definition must be defined in the monitoring account.
You can have up to 30 concurrent CloudWatch Logs insights queries, including queries\n that have been added to dashboards.
" + "smithy.api#documentation": "Schedules a query of a log group using CloudWatch Logs Insights. You specify the log group\n and time range to query and the query string to use.
\nFor more information, see CloudWatch Logs Insights Query Syntax.
\nAfter you run a query using StartQuery, the query results are stored by CloudWatch Logs. \n You can use GetQueryResults to retrieve\n the results of a query, using the queryId that StartQuery returns.\n
If you have associated a KMS key with the query results in this account, \n then \n StartQuery uses that key to \n encrypt the results when it stores them. If no key is associated with query results, the query results are \n encrypted with the default CloudWatch Logs encryption method.
\nQueries time out after 60 minutes of runtime. If your queries are timing out, reduce the\n time range being searched or partition your query into a number of queries.
\nIf you are using CloudWatch cross-account observability, you can use this operation in a\n monitoring account to start a query in a linked source account. For more information, see\n CloudWatch\n cross-account observability. For a cross-account StartQuery operation,\n the query definition must be defined in the monitoring account.
You can have up to 30 concurrent CloudWatch Logs insights queries, including queries\n that have been added to dashboards.
" } }, "com.amazonaws.cloudwatchlogs#StartQueryRequest": { @@ -5949,19 +5984,19 @@ "logGroupName": { "target": "com.amazonaws.cloudwatchlogs#LogGroupName", "traits": { - "smithy.api#documentation": "The log group on which to perform the query.
\nA StartQuery operation must include exactly one \n of the following parameters: \n logGroupName, logGroupNames or logGroupIdentifiers.\n
The log group on which to perform the query.
\nA StartQuery operation must include exactly one of the following\n parameters: logGroupName, logGroupNames, or\n logGroupIdentifiers.
The list of log groups to be queried. You can include up to 50 log groups.
\nA StartQuery operation must include exactly one \n of the following parameters: \n logGroupName, logGroupNames or logGroupIdentifiers.\n
The list of log groups to be queried. You can include up to 50 log groups.
\nA StartQuery operation must include exactly one of the following\n parameters: logGroupName, logGroupNames, or\n logGroupIdentifiers.
The list of log groups to query. You can include up to 50 log groups.
\nYou can specify them by the log group name or ARN. If a log group that you're querying is\n in a source account and you're using a monitoring account, you must specify the ARN of the log\n group here. The query definition must also be defined in the monitoring account.
\nIf you specify an ARN, the ARN can't end with an asterisk (*).
\nA StartQuery operation must include exactly one \n of the following parameters: \n logGroupName, logGroupNames or logGroupIdentifiers.\n
The list of log groups to query. You can include up to 50 log groups.
\nYou can specify them by the log group name or ARN. If a log group that you're querying is\n in a source account and you're using a monitoring account, you must specify the ARN of the log\n group here. The query definition must also be defined in the monitoring account.
\nIf you specify an ARN, the ARN can't end with an asterisk (*).
\nA StartQuery operation must include exactly one of the following parameters:\n logGroupName, logGroupNames, or logGroupIdentifiers.