CloudWatchLogs / Client / get_query_results



Returns the results from the specified query.

Only the fields requested in the query are returned, along with a @ptr field, which is the identifier for the log record. You can use the value of @ptr in a GetLogRecord operation to get the full log record.

GetQueryResults does not start running a query. To run a query, use StartQuery. For more information about how long results of previous queries are available, see CloudWatch Logs quotas.

If the value of the Status field in the output is Running, this operation returns only partial results. If you see a value of Scheduled or Running for the status, you can retry the operation later to see the final results.

If you are using CloudWatch cross-account observability, you can use this operation in a monitoring account to start queries in linked source accounts. For more information, see CloudWatch cross-account observability.

See also: AWS API Documentation

Request Syntax

response = client.get_query_results(

queryId (string) –


The ID number of the query.

Return type:



Response Syntax

    'results': [
                'field': 'string',
                'value': 'string'
    'statistics': {
        'recordsMatched': 123.0,
        'recordsScanned': 123.0,
        'bytesScanned': 123.0
    'status': 'Scheduled'|'Running'|'Complete'|'Failed'|'Cancelled'|'Timeout'|'Unknown',
    'encryptionKey': 'string'

Response Structure

  • (dict) –

    • results (list) –

      The log events that matched the query criteria during the most recent time it ran.

      The results value is an array of arrays. Each log event is one object in the top-level array. Each of these log event objects is an array of field/ value pairs.

      • (list) –

        • (dict) –

          Contains one field from one log event returned by a CloudWatch Logs Insights query, along with the value of that field.

          For more information about the fields that are generated by CloudWatch logs, see Supported Logs and Discovered Fields.

          • field (string) –

            The log event field.

          • value (string) –

            The value of this field.

    • statistics (dict) –

      Includes the number of log events scanned by the query, the number of log events that matched the query criteria, and the total number of bytes in the scanned log events. These values reflect the full raw results of the query.

      • recordsMatched (float) –

        The number of log events that matched the query string.

      • recordsScanned (float) –

        The total number of log events scanned during the query.

      • bytesScanned (float) –

        The total number of bytes in the log events scanned during the query.

    • status (string) –

      The status of the most recent running of the query. Possible values are Cancelled, Complete, Failed, Running, Scheduled, Timeout, and Unknown.

      Queries time out after 60 minutes of runtime. To avoid having your queries time out, reduce the time range being searched or partition your query into a number of queries.

    • encryptionKey (string) –

      If you associated an KMS key with the CloudWatch Logs Insights query results in this account, this field displays the ARN of the key that’s used to encrypt the query results when StartQuery stores them.