The answer is that the query returns no results because the log events are in JSON format, not plain text, so the ERROR string is nested within a JSON field rather than directly in the @message field. CloudWatch Logs Insights stores the entire raw log event in the @message field, but when logs are in JSON format, the filter `@message like /ERROR/` fails because the string is part of a structured key-value pair, not a standalone plain-text line. This is a common trap on the AWS Certified SAP on AWS Specialty PAS-C01 exam, testing your understanding of how CloudWatch Logs parses different log formats—JSON logs require parsing with functions like `parse @message '$.level'` or using the `filter` command on specific JSON fields. The exam often presents this scenario to catch candidates who assume all logs are plain text. Memory tip: think “JSON means nested—filter the field, not the message.”
PAS-C01 Operations and Maintenance Practice Question
This PAS-C01 practice question tests your understanding of operations and maintenance. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
CloudWatch Logs Insights query:
fields @timestamp, @message
| filter @message like /ERROR/
| stats count() by @logStream
| sort count() desc
| limit 10
An SAP administrator runs the above CloudWatch Logs Insights query on an application log group. The query returns no results even though the administrator knows there are ERROR messages in the logs. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The log events are not in plain text; they are in JSON format and the ERROR string is within a JSON field.
Option B is correct because the query filters on the @message field, but CloudWatch Logs stores the log event message in the @message field. However, if the log events are not parsed correctly (e.g., if using JSON logs), the filter may not match. Option A is wrong because the syntax is correct. Option C is wrong because the query does not use regex. Option D is wrong because time range affects the results but does not cause zero results if errors exist.
Key principle: NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The query uses a regex pattern that is not supported by CloudWatch Logs Insights.
Why it's wrong here
CloudWatch Logs Insights supports regex.
✗
The query syntax is incorrect; the filter should use 'like' instead of '/.../'.
Why it's wrong here
The syntax is valid; filter with /.../ is regex.
✗
The time range is set to a period when no ERROR messages were logged.
Why it's wrong here
The administrator knows errors exist, so the time range should include them.
✓
The log events are not in plain text; they are in JSON format and the ERROR string is within a JSON field.
Why this is correct
If logs are JSON, @message contains the entire JSON string; the filter may need to target a specific field.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Static NAT maps one inside address to one outside address.
Common exam traps
Common exam trap: NAT rules depend on direction and matching traffic
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Detailed technical explanation
How to think about this question
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
KKey Concepts to Remember
Static NAT maps one inside address to one outside address.
PAT allows many inside hosts to share one public address using ports.
Inside local and inside global describe the private and translated addresses.
NAT ACLs identify traffic for translation, not always security filtering.
TExam Day Tips
→Identify inside and outside interfaces first.
→Check whether the scenario needs static NAT, dynamic NAT or PAT.
→Do not confuse NAT matching ACLs with normal packet-filtering intent.
Key takeaway
NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.
Real-world example
How this comes up in practice
A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.
What to study next
Got this wrong? Here's your next step.
Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related PAS-C01 NAT questions on configuration and troubleshooting.
Operations and Maintenance — This question tests Operations and Maintenance — Static NAT maps one inside address to one outside address..
What is the correct answer to this question?
The correct answer is: The log events are not in plain text; they are in JSON format and the ERROR string is within a JSON field. — Option B is correct because the query filters on the @message field, but CloudWatch Logs stores the log event message in the @message field. However, if the log events are not parsed correctly (e.g., if using JSON logs), the filter may not match. Option A is wrong because the syntax is correct. Option C is wrong because the query does not use regex. Option D is wrong because time range affects the results but does not cause zero results if errors exist.
What should I do if I get this PAS-C01 question wrong?
Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related PAS-C01 NAT questions on configuration and troubleshooting.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Static NAT maps one inside address to one outside address.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This PAS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PAS-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.