> ## Documentation Index
> Fetch the complete documentation index at: https://www.ravion.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Query CloudWatch Logs Insights rows

> Run CloudWatch Logs Insights over a selected set of module-instance ui.logs sources, filtered by a structured predicate tree. Returns normalized log rows (paged via `nextEndTimeMs`). The histogram is a SEPARATE endpoint so rows render without waiting for the full-window aggregation. POST (not GET) because the filter is a recursive model that can't ride query params.



## OpenAPI

````yaml https://api.ravion.com/openapi.yaml post /aws/cloudwatch/logs-insights
openapi: 3.0.0
info:
  title: Ravion
  version: 0.0.0
servers:
  - url: https://api.ravion.com
security:
  - BearerAuth: []
tags:
  - name: Projects
  - name: Environments
  - name: Pipelines
  - name: PipelineRuns
  - name: TerraformResources
  - name: TerraformExecutionSummaries
  - name: PipelineStepExecutions
  - name: AwsCloudWatch
  - name: PipelineVersions
  - name: Organizations
  - name: Stacks
  - name: StackWorkspaces
  - name: Auth
  - name: OAuth
  - name: User
  - name: Health
  - name: Memberships
  - name: ServiceAccounts
  - name: AwsDefaultNetworks
  - name: AwsAccounts
  - name: ApiKeys
  - name: ExecutionEnvironments
  - name: ModuleDefinitions
  - name: ModuleVersions
  - name: ModuleInstances
  - name: DefaultValueDefinitions
  - name: DefaultValues
  - name: CodeSources
  - name: Github
  - name: Gitlab
  - name: Git
  - name: Values
  - name: Deployments
  - name: DeploymentResources
  - name: InfrastructureEvents
  - name: WebSocket
  - name: Describe
paths:
  /aws/cloudwatch/logs-insights:
    post:
      tags:
        - AwsCloudWatch
      summary: Query CloudWatch Logs Insights rows
      description: >-
        Run CloudWatch Logs Insights over a selected set of module-instance
        ui.logs sources, filtered by a structured predicate tree. Returns
        normalized log rows (paged via `nextEndTimeMs`). The histogram is a
        SEPARATE endpoint so rows render without waiting for the full-window
        aggregation. POST (not GET) because the filter is a recursive model that
        can't ride query params.
      operationId: GetCloudWatchLogsInsights
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CloudWatchLogsInsightsRequest'
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CloudWatchLogsInsightsResponse'
          description: The request has succeeded.
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: The request is invalid or malformed.
        '404':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: The server cannot find the requested resource.
        '422':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: Client error
        '500':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Errors.UserFacingErrorData'
          description: Server error
components:
  schemas:
    CloudWatchLogsInsightsRequest:
      additionalProperties: false
      description: >-
        Request body for the Logs Insights query. Scope is resolved from
        whichever selector is provided — `environmentId` (all of an
        environment's instances), `moduleInstanceIds`, and/or `logSourceKeys` —
        so the endpoint is not tied to one entity type. At least one is
        required.
      properties:
        complete:
          description: >-
            Return every row in the window (up to the 10000 maximum) rather than
            a single page. Use this for a small, recent window — e.g. a live
            tail polling for new rows since the last one it saw — so the caller
            doesn't have to page.
          nullable: true
          type: boolean
        endTime:
          description: Inclusive end of the query window (ISO 8601)
          type: string
        environmentId:
          description: >-
            Environment whose module-instance ui.logs sources are queried.
            Optional: omit it when `moduleInstanceIds` and/or `logSourceKeys`
            already name the sources to query.
          nullable: true
          type: string
        filter:
          allOf:
            - $ref: '#/components/schemas/CloudWatchLogFilter'
          description: >-
            Structured filter predicate tree applied to the matched sources.
            Omit (or send `{kind:"all"}`) for no filter. Negation, OR and
            grouping are honored server-side; predicates the source can't
            represent are dropped and reported in the response's `unsupported`.
        limit:
          description: >-
            Max rows to return (default 1000, max 10000). The row list is the
            most recent `limit` rows in the window; page further back by
            re-querying with `nextEndTimeMs` as the `endTime`.
          format: int32
          nullable: true
          type: integer
        logSourceKeys:
          description: >-
            Restrict to these individual ui.logs sources, each a composite
            `<moduleInstanceId>::<logSourceId>` key (the ui.logs source id is
            unique only within an instance). When set, only the named sources
            are queried — a finer filter than moduleInstanceIds, which it
            overrides for the listed instances. May be supplied without
            `environmentId`.
          items:
            type: string
          nullable: true
          type: array
        moduleInstanceIds:
          description: >-
            Restrict to these module instance ids. Combined with `environmentId`
            it narrows to a subset; supplied WITHOUT `environmentId` it selects
            exactly these instances. Omit to query every instance in
            `environmentId`.
          items:
            type: string
          nullable: true
          type: array
        startTime:
          description: Inclusive start of the query window (ISO 8601)
          type: string
      required:
        - startTime
        - endTime
      type: object
    CloudWatchLogsInsightsResponse:
      additionalProperties: false
      description: >-
        Response payload for a CloudWatch Logs Insights ROW query (the histogram
        is a separate endpoint).
      properties:
        missedSources:
          description: >-
            Log groups of the sources that could not be queried for this request
            (empty unless `partial` is true). Surface these so the user knows
            exactly which sources are missing from the result.
          items:
            type: string
          type: array
        nextEndTimeMs:
          description: >-
            Epoch-millis cursor for the NEXT (older) page: re-query with the
            same `startTime` and this value as `endTime`. 0 means there are no
            older rows to load. Computed server-side from the raw coverage
            boundary (not the post-filter row count), so a narrow level filter —
            or sources of differing density — never makes a short page look like
            the end of the data.
          format: int64
          type: integer
        partial:
          description: >-
            True when one or more selected log sources could not be queried
            (e.g. an account's credentials failed), so the rows omit those
            sources. The affected sources are listed in `missedSources`. This is
            NOT set for paging — the row list is complete up to `limit`, with
            older rows reachable via `nextEndTimeMs`.
          type: boolean
        resultCount:
          description: Total number of rows returned
          format: int32
          type: integer
        rows:
          description: Merged, time-sorted (desc) log rows across all selected sources.
          items:
            $ref: '#/components/schemas/CloudWatchLogInsightsRow'
          type: array
        unsupported:
          description: >-
            Human-readable reasons for filter predicates the server could not
            represent on this source and therefore did NOT apply (e.g. numeric
            ranges). When non-empty the result is BROADER than the submitted
            filter — surface a warning. Empty when the whole filter was applied.
          items:
            type: string
          type: array
      required:
        - rows
        - nextEndTimeMs
        - partial
        - missedSources
        - resultCount
        - unsupported
      type: object
    Errors.UserFacingErrorData:
      additionalProperties: false
      description: |-
        User-facing error presentation data.
        This is what the API returns to the frontend after formatting ErrorData
        using CEL templates from the error registry.

        Used for both:
        - Error fields on domain models (e.g., PipelineRun.error)
        - API error response bodies (HTTP 4xx/5xx responses)
      properties:
        action:
          allOf:
            - $ref: '#/components/schemas/Errors.Action'
          description: Optional action to help resolve the error
        code:
          description: Full error code, e.g., "Ravion:Pipeline:NOT_FOUND"
          type: string
        description:
          description: Additional description with more details
          type: string
        details:
          description: Structured details rendered as user-facing sections.
          items:
            $ref: '#/components/schemas/Errors.UserFacingErrorDetailSection'
          type: array
        isInternal:
          description: >-
            Indicates whether this error is internal (only set when
            ShowInternal=true).

            This allows SUPERADMINs to identify internal errors while viewing
            full details.
          type: boolean
        message:
          description: Main error message (required)
          type: string
        metadata:
          additionalProperties: {}
          description: >-
            Error params/metadata. Stripped for internal errors unless
            superadmin.
          type: object
        requestId:
          description: Request ID for correlating errors with server logs.
          type: string
      required:
        - code
        - message
      type: object
    CloudWatchLogFilter:
      additionalProperties: false
      description: >-
        One node in the structured log-filter predicate tree. `kind`
        discriminates the node; the other fields are populated per kind. The
        empty filter is `{kind:"all"}`. This is the wire form of the LogSearch
        AST — the server translates it into the source's query language
        (CloudWatch Logs Insights today), so negation/OR/grouping are honored
        server-side rather than dropped on the client.
      properties:
        filter:
          allOf:
            - $ref: '#/components/schemas/CloudWatchLogFilter'
          description: Child predicate for a `not` node.
        filters:
          description: Child predicates for `and` / `or` nodes.
          items:
            $ref: '#/components/schemas/CloudWatchLogFilter'
          type: array
        kind:
          description: >-
            Node kind: `all` (match everything) | `and` | `or` | `not` | `field`
            | `text`.
          type: string
        operator:
          description: >-
            Match operator for a `field` node: `eq` | `neq` | `contains` |
            `regex` | `gt` | `gte` | `lt` | `lte`. (Named `operator`, not `op`,
            because `op` is a TypeSpec keyword.)
          type: string
        path:
          description: >-
            Field path for a `field` node. The well-known paths `level` and
            `stream` route to dedicated channels (classified level /
            `@logStream`); any other path matches a JSON key:value fragment in
            `@message`.
          type: string
        value:
          description: >-
            Literal value for a `field` or `text` node. Shipped RAW — the server
            does all escaping.
          type: string
      required:
        - kind
      type: object
    CloudWatchLogInsightsRow:
      additionalProperties: false
      description: A single normalized CloudWatch Logs Insights result row
      properties:
        eventId:
          description: Stable per-event id (CloudWatch @ptr) used for de-duplication
          type: string
        level:
          description: >-
            Server-classified level (debug|info|warn|error), folded the same way
            as the histogram so the table and chart agree
          type: string
        logSourceId:
          description: The ui.logs source id (UILog.id) this row came from
          type: string
        logStream:
          description: The CloudWatch log stream the event came from
          type: string
        message:
          description: The raw log message (JSON string or plain text)
          type: string
        sourceId:
          description: The module instance id this row's source belongs to
          type: string
        timestamp:
          description: Event time as epoch milliseconds
          format: int64
          type: integer
      required:
        - timestamp
        - message
        - logStream
        - sourceId
        - logSourceId
        - level
      type: object
    Errors.Action:
      additionalProperties: false
      description: Action to help user resolve the error
      properties:
        label:
          description: Button/link label text
          type: string
        url:
          description: URL to navigate to for resolution
          type: string
      required:
        - label
        - url
      type: object
    Errors.UserFacingErrorDetailSection:
      additionalProperties: false
      description: Structured user-facing error detail section.
      properties:
        items:
          description: List of detail values for this section.
          items:
            type: string
          type: array
        object:
          additionalProperties: {}
          description: Structured detail payload for object rendering.
          type: object
        render:
          description: Rendering hint for clients. Valid values are list or object.
          type: string
        title:
          description: Detail section title shown in the UI.
          type: string
      required:
        - title
        - render
      type: object
  securitySchemes:
    BearerAuth:
      scheme: Bearer
      type: http

````