mbourgon · March 13, 2018 19:44
diff --git a/AWS_CW_RDS_Log_with_Filter.ps1 b/AWS_CW_RDS_Log_with_Filter.ps1
 import-module awspowershell


 #You should have already saved your credentials locally using:
 # set-awscredentials -accesskey myaccesskey -secretkey mysecretkey -StoreAs MyDeveloper
 $credential = get-awscredentials -ProfileName MyDeveloper

 # Get the current timestamp
 $Current_Unix_Timestamp = [Math]::Floor([decimal](Get-Date(Get-Date).ToUniversalTime()-uformat "%s")) * 1000

 # Get the timestamp to start at.
 $hours_to_look_back = 48
 $Past_Unix_Timestamp = [Math]::Floor([decimal](Get-Date((Get-Date).AddHours(-1*$hours_to_look_back)).ToUniversalTime()-uformat "%s")) * 1000

 # Get a list of all of our CloudWatch log groups
 $All_CW_RDS_Logs = get-CWLLogGroup -LogGroupNamePrefix "/aws/rds" | where {$_.LogGroupName -like "*/myproject*"}

 foreach ($Specific_CW_Log_Group in $All_CW_RDS_Logs) {
 write-host $Specific_CW_Log_Group.LogGroupName

 $CW_NextToken = $null # reset for each log group. Required for NextToken to work

 #Using $null for NextToken means we can use the same pattern as for regular logs
 #NOTE: this hangs if the FilterPattern is invalid. Which apparently includes commas, backslashes, etc.
 DO {
 $CW_RDS = 
 Get-CWLFilteredLogEvent `
 -LogGroupName $Specific_CW_Log_Group.LogGroupName `
 -StartTime $Past_Unix_Timestamp `
 -EndTime $Current_Unix_Timestamp `
 -FilterPattern "QUERY" `
 -Limit 500 `
 -NextToken $CW_NextToken
 #FilterPattern can't use commas. ",QUERY," should show all create/truncate/drop, but we must use QUERY instead

 #unlike the regular logs, this one returns a normal powershell dataset - nothing left to do
 $CW_RDS.Events|ogv

 $CW_NextToken = $CW_RDS.NextToken
 }WHILE ($CW_NextToken -ne $null)
 }
	import-module awspowershell


	#You should have already saved your credentials locally using:
	# set-awscredentials -accesskey myaccesskey -secretkey mysecretkey -StoreAs MyDeveloper
	$credential = get-awscredentials -ProfileName MyDeveloper

	# Get the current timestamp
	$Current_Unix_Timestamp = [Math]::Floor([decimal](Get-Date(Get-Date).ToUniversalTime()-uformat "%s")) * 1000

	# Get the timestamp to start at.
	$hours_to_look_back = 48
	$Past_Unix_Timestamp = [Math]::Floor([decimal](Get-Date((Get-Date).AddHours(-1$hours_to_look_back)).ToUniversalTime()-uformat "%s")) 1000

	# Get a list of all of our CloudWatch log groups
	$All_CW_RDS_Logs = get-CWLLogGroup -LogGroupNamePrefix "/aws/rds" \| where {$_.LogGroupName -like "/myproject"}

	foreach ($Specific_CW_Log_Group in $All_CW_RDS_Logs) {
	write-host $Specific_CW_Log_Group.LogGroupName

	$CW_NextToken = $null # reset for each log group. Required for NextToken to work

	#Using $null for NextToken means we can use the same pattern as for regular logs
	#NOTE: this hangs if the FilterPattern is invalid. Which apparently includes commas, backslashes, etc.
	DO {
	$CW_RDS =
	Get-CWLFilteredLogEvent `
	-LogGroupName $Specific_CW_Log_Group.LogGroupName `
	-StartTime $Past_Unix_Timestamp `
	-EndTime $Current_Unix_Timestamp `
	-FilterPattern "QUERY" `
	-Limit 500 `
	-NextToken $CW_NextToken
	#FilterPattern can't use commas. ",QUERY," should show all create/truncate/drop, but we must use QUERY instead

	#unlike the regular logs, this one returns a normal powershell dataset - nothing left to do
	$CW_RDS.Events\|ogv

	$CW_NextToken = $CW_RDS.NextToken
	}WHILE ($CW_NextToken -ne $null)
	}