boto / boto3

AWS SDK for Python
https://aws.amazon.com/sdk-for-python/
Apache License 2.0
9.05k stars 1.87k forks source link

CloudWatchLogs.filter_log_events nextToken is not null but there are no results #4258

Closed agoyburu closed 1 month ago

agoyburu commented 2 months ago

Describe the bug

When calling filter_log_events using CloudWatchLogs client, the nextToken key is always coming with a token instead of null even though there are no results.

Expected Behavior

nextToken should be null when events is empty.

Current Behavior

events returns an empty list but nextToken is not null

Reproduction Steps

  1. Create a CloudWatchLogs client
  2. Call filter_log_events with logGroupName, filterPattern, startTime, endTime
  3. Iterate over pages with the nextToken.

Possible Solution

I don't have a possible solution but a workaround could be to also check the results if that is empty, just ignore the nextToken

Additional Information/Context

The odd thing is that this is only happening with one AWS account so far.

To do the filtering, we first call describe_log_groups to get the list of log groups and then perform the filtering for each group.

Here are the some of the arguments I used:

startTime = 1724946563020
endTime = 1725551363020
filterPattern = '{$.readOnly = false && ($.eventName = "CreateAccessKey" || $.eventName = "DeleteAccessKey" || $.eventName = "UpdateAccessKey" || $.eventName = "CreateLoginProfile" || $.eventName = "UpdateLoginProfile" || $.eventName = "DeleteLoginProfile" || $.eventName = "CreatePolicy" || $.eventName = "DeletePolicy" || $.eventName = "AttachUserPolicy" || $.eventName = "DetachUserPolicy" || $.eventName = "AttachGroupPolicy" || $.eventName = "DetachGroupPolicy" || $.eventName = "AttachRolePolicy" || $.eventName = "DetachRolePolicy" || $.eventName = "PutUserPolicy" || $.eventName = "DeleteUserPolicy" || $.eventName = "PutGroupPolicy" || $.eventName = "DeleteGroupPolicy" || $.eventName = "PutRolePolicy" || $.eventName = "DeleteRolePolicy")}'
logGroupName = 'aws-cloudtrail-logs-us'

And here some actual responses from the filter_log_events

First call

{
    'events': [],
    'searchedLogStreams': [],
    'nextToken': 'Bxkq6kVGFtq2y_MoigeqscPOdhXVbhiVtLoAmXb5jCo-J4ub4atWFi6pePqNs7mRKkYCSSs9IimWr8Xi7GBPMaUH88oHH_P8Wu9fW7nHndM7aRAIAgrkh0Lp-O9Y4FX3e2GN7q4cuKB97nMXpl5EpWbIsPOF5kwHGwIH8PTizyX4h0Gay8fTxQ2Xmd4HcPw7foC7QRm4npaaSjuyyQWnsBzb0KmS8F3RE_e8TZIpfaoF5B4jzeU0utoThPxTLaqS81MqmKYtqQLOWA-QGD1xNw',
    'ResponseMetadata': {
        'RequestId': '29daab62-8be4-4d02-997f-435d7c21cdff',
        'HTTPStatusCode': 200,
        'HTTPHeaders': {...},
        'RetryAttempts': 0,
    },
}

Second call

{
    'events': [],
    'searchedLogStreams': [],
    'nextToken': 'Bxkq6kVGFtq2y_MoigeqscPOdhXVbhiVtLoAmXb5jCojwBgZEf6LNx1087xbbrYSh9yQVDcRp0Q1KWq2KS92-zCrMPMoJ5OQezrUspC_T42pPEsvHmxc3TwOAdIuacjnipZWfZNseUTWEBd5fL4tOt3WSDov9XUT3_iscd23BFEutBi88IzZG09WVGfoYPTKWgQ1EsZyKpdqm5se-w26iUE5OeeHXTmlwY9hmVKwgd7aMEyvUQEGPufQOHAyhaNjxDebszWs5h28UyfmAuKi-Q',
    'ResponseMetadata': {
        'RequestId': 'f24a9577-4bc8-4303-9b65-dc2d3ed57ab5',
        'HTTPStatusCode': 200,
        'HTTPHeaders': {...},
        'RetryAttempts': 0,
    },
}

SDK version used

boto3==1.34.80

Environment details (OS name and version, etc.)

MacOS Sonoma 14.6.1 (23G93), Ubuntu 22.04 docker image

tim-finnigan commented 1 month ago

Thanks for reaching out. The filter_log_events command makes a call to the underlying FilterLogEvents API, so this issue is really about the API behavior. If you add boto3.set_stream_logger('') to your script, then you can see the API request/response.

The reason you're getting a nextToken but not events is likely because the API is returning a max limit of results and there are no events matching your filter in that response. As an alternative, I recommend using the paginator to automatically paginate through responses: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/logs/paginator/FilterLogEvents.html

(For more info on paginators please refer to this documentation: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/paginators.html)

github-actions[bot] commented 1 month ago

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.