Amazon CloudWatch data input configuration fields

Zurich IT Operations Management

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

Amazon CloudWatch data input configuration fields

Release version: Zurich

Updated July 31, 2025

4 minutes to read

Summarize

Summarized using AI

Summary of Amazon CloudWatch data input configuration fields

This document details the configuration fields for setting up Amazon CloudWatch data inputs in ServiceNow’s Health Log Analytics. These inputs enable streaming log data from Amazon CloudWatch to your ServiceNow instance via MID Servers or MID Server clusters. Proper configuration ensures reliable log ingestion and failover support within your environment.

Show full answer Show less

Basic Configuration

Name & Description: Define a unique name and optional description for the data input.
Execute on: Choose whether to use a specific MID Server or a MID Server cluster to pull log data.
MID Server Selection: Only MID Servers supporting basic authentication (not mTLS) are eligible. Log ingestion must be enabled; if not, Health Log Analytics enables it automatically. The default maximum concurrent data inputs per MID Server is 10, configurable in MID Server properties.
MID Server Cluster: Supports failover clusters only, ensuring continuity by switching to another MID Server if one fails. Clusters must include only MID Servers supporting basic authentication with log ingestion enabled.
Service Instance: Bind the log data to an existing or newly created operational service instance. This is required to associate logs with relevant configuration items.
Status Fields (read-only): Provide real-time information on data input status, transport protocol, number of log sources created, timestamps for last logs and disablement, and any streaming errors.

Query Settings

From: Set the start date/time for reading log data. Only logs newer than this timestamp are fetched. Past dates may increase load and congestion.
Group Name(s): Specify one or multiple log groups to search. Use comma separation for multiple groups or an asterisk () wildcard to include all groups.
Prefix: Filter log streams by a single name prefix. Multiple prefixes require separate data inputs.
Filter Pattern: Apply case-sensitive patterns to filter log events by terms to include or exclude, supporting various logical conditions.

Transport Settings

AWS Credentials: Select AWS credentials (access and secret keys) from a predefined list for authentication.
AWS Region: Specify the AWS region where the CloudWatch logs reside. This is required to direct log queries properly.

Advanced Configuration

Connection Timeout: Milliseconds to wait before timing out AWS connection attempts (default 1000 ms).
Batch Size: Maximum number of logs retrieved per query (default 2500).
Socket Timeout: Milliseconds to wait before timing out data transfer on an established connection (default 10000 ms).
Default Timezone: Timezone used if logs lack timezone information (default GMT).
Sub Sample Drop/Receive Ratios: Controls log sampling to reduce volume, by discarding certain logs within batches (defaults -1 meaning disabled).
Max Length in Bytes: Maximum size of individual log messages (default 32766 bytes).
Sleep Interval: Seconds to wait before re-querying when no logs are returned (default 60 seconds).
Polling Interval: Seconds to wait before polling for new logs (default 0).
Drop if Queue is Full: Option to discard logs when MID Server load is high (default false).

Practical Benefits for ServiceNow Customers

Proper configuration of Amazon CloudWatch data inputs allows ServiceNow customers to efficiently ingest, filter, and monitor CloudWatch logs with failover protections and load management. This enables enhanced observability and troubleshooting capabilities within the ServiceNow platform, ensuring operational continuity and performance of log analytics.

Description of the fields on the Amazon CloudWatch data input configuration form.

Basic configuration


Field	Description
Name	Name of the new data input. This field is required.
Description	Description of the data input.
Execute on	Option to select whether to use a specific MID Server or a MID Server cluster. This field is required.
MID	(Only when the Execute on field is set to Specific MID Server) MID Server to which log data from Amazon CloudWatch is pulled. Note: You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed. The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties. If log ingestion is not enabled for the selected MID Server, Health Log Analytics enables it automatically. This field is required.
MID Server Cluster	(Only when Execute on is set to Specific MID Server cluster.) The MID Server cluster to which the log data is pulled. This field is required. The data input runs on a single MID Server in the cluster until that MID Server fails. The system then moves all the data input tasks to the next available MID Server in the cluster according to the configured order. Note: Health Log Analytics supports only failover MID Server clusters. In these clusters, multiple MID Servers are grouped together for failover protection. When selecting a cluster from the data input or integration form, the MID Server clusters list displays only failover clusters. The MID Server cluster must include only MID Servers that support basic authentication. mTLS is not supported for log ingestion. Log ingestion must be enabled for each MID Server in the cluster. If log ingestion is not enabled for the active MID Server, Health Log Analytics enables it automatically. The default maximum number of data inputs or integrations streaming logs to a single MID Server is 10. A cluster passes capacity validation if it contains at least one MID Server with fewer than 10 data inputs or integrations running on it, even when that MID Server is down. For more information about MID Server clusters, see Configure a MID Server cluster.
Service instance	The service instance to which to bind the log data. Note: If no relevant service instance exists, Create an service instance and add CIs to it. Set the status of the new service instance to Operational. This field is required.

The following fields show read-only information:


Field	Description
Status	Status of the data input.
Transport	Protocol used to stream the log data. This data input uses Amazon CloudWatch to stream log data to your instance.
Sources count	The number of log sources this data input has created.
Disabled since	The time when the data input stopped or failed.
Last log time	The time when the last log streamed in the data input.
Error message	The streaming error. This field is populated automatically. It displays only when a streaming error has occurred.

Table 1. Query settings tab
Field	Description	Example
From	The date and time to start reading the data. Data older than this date and time is not read. Note: Setting this value to a past date might require the system to read large amounts of data, causing congestion. This field is required.	Now -1 week
Group Name(s)	The log groups to search. If multiple log groups must be searched, specify the groups in a comma-separated list. To fetch log data from all groups, use an asterisk (*) as a wildcard character. This field is required.	hla-cw-loggroup1,hla-cw-loggroup2
Prefix	Name prefix for the Amazon CloudWatch log streams to read from. The data input reads only from log streams with this name prefix. Note: Only a single log stream prefix per data item is supported. For multiple prefixes, create multiple data inputs.	hla-cw
Filter pattern	Pattern by which to filter incoming events. Various types of filter patterns are supported. For example: A pattern for fetching log events that contain a single term. A pattern for fetching log events that contain multiple terms. A pattern for fetching log events that include a term and exclude another. Note: Filter patterns are case sensitive. For more information, see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html	Pattern for fetching log events that contain a single term, "STATUS_CODE": "STATUS_CODE" Pattern for fetching log events that contain multiple terms, “STATUS_CODE” and “200”: “STATUS_CODE 200” Pattern for fetching log events that include a term, “STATUS_CODE,” and exclude another term, “200”: “STATUS_CODE” – “200”

Table 2. Transport tab
Field	Description
AWS credentials	Field that refers to the AWS Credentials list (aws_credentials.list). The list contains the AWS access and secret access keys.
AWS region	The AWS region where the Amazon CloudWatch cluster runs, for example, us-west-1. For a list of AWS regions, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions This field is required.

Advanced configuration

Table 3. Advanced configuration form
Field	Description	Default value
Connection timeout	The number of milliseconds to wait before timing out the AWS connection attempt.	1000
Batch size	The maximum number of logs retrieved per query.	2500
Socket timeout	The number of milliseconds to wait before timing out a data transfer over an established connection.	10000
Default timezone	The default timezone if the log date and time doesn't include timezone information.	GMT
Sub sample drop ratio	The number of logs to batch together, out of which one will be discarded. This setting is used to reduce the number of fetched logs.	-1
Sub sample receive ratio	The number of logs to batch together, out of which all but one will be discarded. This setting is used to decrease the number of received logs.	-1
Max length in bytes	The maximum length of log messages, in bytes.	32766
Sleep interval	The interval, in seconds, to wait before querying again after a query has returned no logs.	60
Polling interval	The interval, in seconds, to wait before polling for new logs.	0
Drop if queue is full	Option for selecting to discard logs if there is a load on the MID Server.	False