A developer is investigating intermittent failures in a Lambda function whose JSON logs go to Amazon CloudWatch Logs. Each log event includes a level field and a requestId field. The developer needs to list, for the past hour, every event where level is ERROR together with its requestId, sorted with the most recent first, without exporting the logs anywhere. Which approach should the developer use?
- ACreate a metric filter on the log group that matches the ERROR pattern, then read the resulting metric data points to see the failing requestId values for the hour.
- BCreate a subscription filter on the log group that streams ERROR events to Amazon Kinesis Data Firehose, then inspect the delivered objects to find the requestId values.
- CRun a CloudWatch Logs Insights query over the log group that filters on level equals ERROR, displays the requestId field, and sorts by timestamp descending for the last hour. Correct
- DEnable CloudWatch Contributor Insights on the log group with a rule keyed on requestId, then read the top contributor report to list the failing requests for the hour.
Why A is wrong: A metric filter only emits a numeric count to a CloudWatch metric and cannot return the requestId field values, so it shows how many errors occurred but not which requests failed.
Why B is wrong: A subscription filter is built for continuous delivery to another service, so it adds a Firehose and storage hop and is far heavier than an ad hoc query for a one-hour investigation.
Why C is correct: Logs Insights queries the log group in place, so a filter on level with a fields and sort by timestamp returns the matching ERROR events and their requestId values newest first without any export.
Why D is wrong: Contributor Insights ranks the top contributors by a key rather than listing every matching event with its fields, so it cannot return the full time ordered set of ERROR events.