diff --git a/bin/query-cloudwatch b/bin/query-cloudwatch
new file mode 100755
index 00000000000..bdd13291abe
--- /dev/null
+++ b/bin/query-cloudwatch
@@ -0,0 +1,280 @@
+#!/usr/bin/env ruby
+Dir.chdir(File.dirname(__FILE__)) { require 'bundler/setup' }
+
+require 'active_support'
+require 'active_support/core_ext/integer/time'
+require 'aws-sdk-cloudwatchlogs'
+require 'concurrent-ruby'
+require 'csv'
+require 'json'
+require 'optparse'
+require 'optparse/time'
+
+$LOAD_PATH.unshift(File.expand_path(File.join(__dir__, '../lib')))
+require 'reporting/cloudwatch_client'
+
+class QueryCloudwatch
+  Config = Struct.new(
+    :log,
+    :group,
+    :slice,
+    :env,
+    :app,
+    :from,
+    :to,
+    :query,
+    :format,
+    :complete,
+    :progress,
+    :wait_duration,
+    keyword_init: true,
+  )
+
+  attr_reader :config
+
+  def initialize(config)
+    @config = config
+  end
+
+  def run(stdout: STDOUT)
+    cloudwatch_client.fetch(
+      query: config.query,
+      from: config.from,
+      to: config.to,
+    ) do |row|
+      stdout.puts format_response(row)
+    end
+  rescue Interrupt
+    # catch interrupts (ctrl-c) and directly exit, this skips printing the backtrace
+    exit 1
+  end
+
+  # Relies on the fact that hashes preserve insertion order
+  # @param [Hash] row
+  # @return [String]
+  def format_response(row)
+    case config.format
+    when :csv
+      row.values.to_csv
+    when :json
+      row.to_json
+    else
+      raise "unknown format #{config.format}"
+    end
+  end
+
+  def cloudwatch_client
+    @cloudwatch_client ||= Reporting::CloudwatchClient.new(
+      ensure_complete_logs: config.complete,
+      log_group_name: config.group,
+      progress: config.progress,
+      slice_interval: config.slice,
+      **config.to_h.slice(:wait_duration).compact,
+    )
+  end
+
+  # @return [Config]
+  def self.parse!(argv:, stdin:, stdout:, now: Time.now)
+    config = Config.new(
+      log: nil,
+      group: nil,
+      slice: parse_duration('1w'),
+      format: :csv,
+      to: now,
+      complete: false,
+      progress: true,
+    )
+
+    # rubocop:disable Metrics/BlockLength
+    OptionParser.new do |opts|
+      opts.banner = <<~TXT
+        Usage
+        =======================
+
+          #{$PROGRAM_NAME} [OPTIONS]
+
+        Script to query cloudwatch, splits a query up across multiple timeframes and combines
+        results (useful for querying a log period of time)
+
+        Examples
+        =======================
+
+        Query last 7 days, shorthand log, group query in STDIN
+
+        #{$PROGRAM_NAME} --from 7d --env int --app idp --log events.log <<QUERY
+          fields @timestamp
+          | limit 9999
+        QUERY
+
+        Query full log group, full timestamps, query as an arugment
+
+        #{$PROGRAM_NAME} \\
+          --group int_/srv/idp/shared/log/production.log \\
+          --start "2020-01-01T00:00:00-00:00" \\
+          --to "2020-12-31T23:59:59-00:00" \\
+          --query "fields @timestamp | limit 9999"
+
+        Timestamps
+        =======================
+
+        * Can be anything Ruby's Time.parse understands:
+
+          "2021-01-01T00:00:00-07:00"
+          "2021-01-01 00:00:00 -0700"
+
+        * Can be represented as duration shorthands:
+
+          10min - 10 minutes ago
+          9h    - 9 hours ago
+          8d    - 8 days ago
+          7w    - 7 weeks ago
+          6mon  - 6 months ago
+          5y    - 5 years ago
+
+        Options
+        =======================
+      TXT
+
+      opts.on('--env ENV', '(optional)') do |env|
+        config.env = env
+      end
+
+      opts.on('--app APP', '(optional)') do |app|
+        config.app = app
+      end
+
+      opts.on('--log LOG', 'shorthand log group (ex "events.log"), needs --app and --env') do |log|
+        config.log = log
+      end
+
+      opts.on(
+        '--group GROUP',
+        'shorthand log group (ex "int_/srv/idp/shared/log/production.log")',
+      ) do |group|
+        config.group = group
+      end
+
+      opts.on(
+        '--from STR', '--start STR',
+        'query start, see Timestamps above for examples'
+      ) do |str|
+        if (duration = parse_duration(str))
+          config.from = duration.ago(now)
+        else
+          config.from = Time.parse(str) # rubocop:disable Rails/TimeZone
+        end
+      end
+
+      opts.on(
+        '--to STR', '--end STR',
+        '(optional, defaults to now) query end, see Timestamps above for examples'
+      ) do |str|
+        if (duration = parse_duration(str))
+          config.to = duration.ago(now)
+        else
+          config.to = Time.parse(str) # rubocop:disable Rails/TimeZone
+        end
+      end
+
+      opts.on('--query QUERY', 'Cloudwatch Insights query') do |query|
+        config.query = query
+      end
+
+      opts.on('--slice SLICE', '(optional) query slice size duration, defaults to 1w') do |slice|
+        config.slice = parse_duration(slice)
+      end
+
+      opts.on('--json', 'format output as newline-delimited JSON (nd-json)') do
+        config.format = :json
+      end
+
+      opts.on('--csv', '(default) format output as CSV') do
+        config.format = :csv
+      end
+
+      opts.on(
+        '--[no-]complete',
+        'whether or not to split query slices if exactly 10k rows are returned, defaults to off',
+      ) do |complete|
+        config.complete = complete
+      end
+
+      opts.on('--[no-]progress', 'whether or not show a progress bar, defaults to on') do |progress|
+        config.progress = progress
+      end
+
+      opts.on('-h', '--help', 'Prints this help') do
+        stdout.puts opts
+        exit
+        return # rubocop:disable Lint/NonLocalExitFromIterator, Lint/UnreachableCode
+      end
+    end.parse!(argv)
+    # rubocop:enable Metrics/BlockLength
+
+    if (app = config.app) && (env = config.env) && !(log = config.log).blank?
+      config.group = build_group(app: app, env: env, log: log)
+    end
+
+    errors = []
+
+    if config.group.blank?
+      errors << 'ERROR: missing log group --group or (--app and --env and --log)'
+    end
+
+    errors << 'ERROR: missing time range --from or --start' if !config.from
+
+    if !config.query
+      if stdin.tty?
+        errors << 'ERROR: missing query, either STDIN or --query)'
+      else
+        config.query = stdin.read
+      end
+    end
+
+    if !errors.empty?
+      stdout.puts errors
+      exit 1
+      return # rubocop:disable Lint/UnreachableCode
+    end
+
+    config
+  end
+
+  # @param [String] log ex production.log
+  # @param [String] app ex idp
+  # @param [String] env ex int
+  def self.build_group(log:, app:, env:)
+    "#{env}_/srv/#{app}/shared/log/#{log}"
+  end
+
+  # @param [String] value a string such as 1min, 2h, 3d, 4w, 5mon, 6y
+  # @return [ActiveSupport::Duration]
+  def self.parse_duration(value)
+    if (match = value.match(/^(?<number>\d+)(?<unit>\D+)$/))
+      number = Integer(match[:number], 10)
+
+      duration = case match[:unit]
+      when 'min'
+        number.minutes
+      when 'h'
+        number.hours
+      when 'd'
+        number.days
+      when 'w'
+        number.weeks
+      when 'mon'
+        number.months
+      when 'y'
+        number.years
+      end
+
+      return duration if duration
+    end
+  end
+end
+
+if __FILE__ == $PROGRAM_NAME
+  config = QueryCloudwatch.parse!(argv: ARGV, stdin: STDIN, stdout: STDOUT)
+
+  QueryCloudwatch.new(config).run
+end
diff --git a/lib/reporting/cloudwatch_client.rb b/lib/reporting/cloudwatch_client.rb
index d787af98b20..cc101b98ee0 100644
--- a/lib/reporting/cloudwatch_client.rb
+++ b/lib/reporting/cloudwatch_client.rb
@@ -8,7 +8,7 @@ class CloudwatchClient
     DEFAULT_WAIT_DURATION = 3
     MAX_RESULTS_LIMIT = 10_000
 
-    attr_reader :num_threads, :wait_duration, :slice_interval, :logger
+    attr_reader :num_threads, :wait_duration, :slice_interval, :logger, :log_group_name
 
     # @param [Boolean] ensure_complete_logs when true, will detect when queries return exactly
     #  10,000 rows (Cloudwatch Insights max limit) and then recursively split the query window into
@@ -26,7 +26,8 @@ def initialize(
       wait_duration: DEFAULT_WAIT_DURATION,
       slice_interval: 1.day,
       logger: nil,
-      progress: true
+      progress: true,
+      log_group_name: 'prod_/srv/idp/shared/log/events.log'
     )
       @ensure_complete_logs = ensure_complete_logs
       @num_threads = num_threads
@@ -34,6 +35,7 @@ def initialize(
       @slice_interval = slice_interval
       @logger = logger
       @progress = progress
+      @log_group_name = log_group_name
     end
 
     # Either both (from, to) or time_slices must be provided
@@ -41,9 +43,17 @@ def initialize(
     # @param [Time] from
     # @param [Time] to
     # @param [Array<Range<Time>>] time_slices Pass an to use specific slices
-    # @return [Array<Hash>]
+    # @raise [ArgumentError] raised when incorrect time parameters are received
+    # @overload fetch(query:, from:, to:)
+    #   The block-less form returns the array of *all* results at the end
+    #   @return [Array<Hash>]
+    # @overload fetch(query: time_slices:) { |row| "..." }
+    #   The block form yields each result row as its ready to the block and returns nil
+    #   @yieldparam [Hash] row a row of the query result
+    #   @return [nil]
     def fetch(query:, from: nil, to: nil, time_slices: nil)
-      results = Concurrent::Array.new
+      results = Concurrent::Array.new if !block_given?
+      each_result_queue = Queue.new if block_given?
       in_progress = Concurrent::Hash.new(0)
 
       # Time slices to query, a tuple of range_to_query, range_id [Range<Time>, Integer]
@@ -68,6 +78,7 @@ def fetch(query:, from: nil, to: nil, time_slices: nil)
       log(:debug, "starting query, queue_size=#{queue.length} num_threads=#{num_threads}")
       log(:info, "=== query ===\n#{query}\n=== query ===")
 
+      # rubocop:disable Metrics/BlockLength
       threads = num_threads.times.map do |thread_idx|
         Thread.new do
           while (range, range_id = queue.pop)
@@ -91,7 +102,14 @@ def fetch(query:, from: nil, to: nil, time_slices: nil)
             else
               log(:debug, "worker finished, slice_duration=#{end_time - start_time}")
               in_progress[range_id] -= 1
-              results.concat(parse_results(response.results))
+              parsed_results = parse_results(response.results)
+
+              results&.concat(parsed_results)
+              if each_result_queue
+                parsed_results.each do |row|
+                  each_result_queue << row
+                end
+              end
             end
           end
 
@@ -102,6 +120,15 @@ def fetch(query:, from: nil, to: nil, time_slices: nil)
           thread.abort_on_exception = true
         end
       end
+      # rubocop:enable Metrics/BlockLength
+
+      if each_result_queue
+        threads << Thread.new do
+          while (row = each_result_queue.pop)
+            yield row
+          end
+        end
+      end
 
       until (num_in_progress = in_progress.sum(&:last)).zero?
         @progress_bar&.refresh
@@ -109,6 +136,7 @@ def fetch(query:, from: nil, to: nil, time_slices: nil)
         sleep wait_duration
       end
       queue.close
+      each_result_queue&.close
       threads.each(&:value) # wait for all threads
 
       @progress_bar&.finish
@@ -126,8 +154,7 @@ def fetch_one(query:, start_time:, end_time:)
       log(:debug, "starting query: #{start_time}..#{end_time}")
 
       query_id = aws_client.start_query(
-        # NOTE: this should be configurable as well
-        log_group_name: 'prod_/srv/idp/shared/log/events.log',
+        log_group_name: log_group_name,
         start_time:,
         end_time:,
         query_string: query.to_s,
diff --git a/spec/bin/query-cloudwatch_spec.rb b/spec/bin/query-cloudwatch_spec.rb
new file mode 100644
index 00000000000..5b05b97406a
--- /dev/null
+++ b/spec/bin/query-cloudwatch_spec.rb
@@ -0,0 +1,266 @@
+require 'rails_helper'
+load Rails.root.join('bin/query-cloudwatch')
+
+RSpec.describe QueryCloudwatch do
+  describe '.parse!' do
+    let(:stdin) { build_stdin_without_query }
+    let(:argv) { [] }
+    let(:stdout) { StringIO.new }
+    let(:required_parameters) { %w[--from 1d --group some/log --query fields\ @message] }
+    let(:now) { Time.zone.now }
+    subject(:parse!) { QueryCloudwatch.parse!(argv:, stdin:, stdout:, now:) }
+
+    before do
+      allow(QueryCloudwatch).to receive(:exit)
+    end
+
+    context 'with no arguments' do
+      it 'prints an error messages and exits uncleanly' do
+        expect(QueryCloudwatch).to receive(:exit).with(1)
+        parse!
+        expect(stdout.string).to include 'ERROR: missing'
+      end
+    end
+
+    context 'with --help' do
+      let(:argv) { %w[--help] }
+      it 'prints help and exits cleanly' do
+        expect(QueryCloudwatch).to receive(:exit).with(no_args)
+        parse!
+        expect(stdout.string).to include 'Script to query cloudwatch'
+      end
+    end
+
+    context 'passing in a query' do
+      let(:required_nonquery_args) { %w[--from 1d --group some/log] }
+      context 'passing in no query' do
+        let(:argv) { required_nonquery_args }
+        let(:stdin) { build_stdin_without_query }
+
+        it 'returns an error' do
+          parse!
+          expect(stdout.string).to include 'ERROR'
+        end
+      end
+
+      context 'passing in a query in argv' do
+        let(:stdin) { build_stdin_without_query }
+        let(:argv) { required_parameters }
+
+        it 'assigns query to query' do
+          config = parse!
+          expect(config.query).to include 'fields @message'
+        end
+      end
+
+      context 'passing in a query in stdin' do
+        let(:stdin) { build_stdin_with_query('fields @message') }
+        let(:argv) { required_nonquery_args }
+
+        it 'assigns query to query' do
+          config = parse!
+          expect(config.query).to include 'fields @message'
+        end
+      end
+    end
+
+    context '--app and --env and --log' do
+      let(:required_nongroup_parameters) { %w[--from 1d --query fields\ @message] }
+      let(:argv) { required_parameters + %w[--app idp --env int --log events.log] }
+
+      it 'builds a log group' do
+        config = parse!
+        expect(config.group).to eq('int_/srv/idp/shared/log/events.log')
+      end
+    end
+
+    context 'with --to' do
+      let(:argv) { required_parameters + ['--to', to] }
+
+      context 'with a duration' do
+        let(:to) { '5w' }
+
+        it 'parses the duration' do
+          config = parse!
+          expect(config.to).to eq(5.weeks.ago(now))
+        end
+      end
+
+      context 'with a timestamp' do
+        let(:to) { '2023-01-01T00:00:00Z' }
+
+        it 'parses the timestmap' do
+          config = parse!
+          expect(config.to).to eq(Date.new(2023, 1, 1).in_time_zone('UTC').beginning_of_day)
+        end
+      end
+    end
+
+    context 'with --no-progress' do
+      let(:argv) { required_parameters + %w[--no-progress] }
+
+      it 'assigns progress to false' do
+        config = parse!
+        expect(config.progress).to be false
+      end
+    end
+
+    context 'with --progress' do
+      let(:argv) { required_parameters + %w[--progress] }
+
+      it 'assigns progress to true' do
+        config = parse!
+        expect(config.progress).to be true
+      end
+    end
+
+    context 'with --no-complete' do
+      let(:argv) { required_parameters + %w[--no-complete] }
+
+      it 'assigns complete to false' do
+        config = parse!
+        expect(config.complete).to be false
+      end
+    end
+
+    context 'with --complete' do
+      let(:argv) { required_parameters + %w[--complete] }
+
+      it 'assigns complete to true' do
+        config = parse!
+        expect(config.complete).to be true
+      end
+    end
+
+    context 'with --csv' do
+      let(:argv) { required_parameters + %w[--csv] }
+
+      it 'assigns format to true' do
+        config = parse!
+        expect(config.format).to eq :csv
+      end
+    end
+
+    context 'with --json' do
+      let(:argv) { required_parameters + %w[--json] }
+
+      it 'assigns format to true' do
+        config = parse!
+        expect(config.format).to eq :json
+      end
+    end
+
+    context 'with --slice' do
+      let(:argv) { required_parameters + %w[--slice 3mon] }
+
+      it 'assigns the slice duration' do
+        config = parse!
+        expect(config.slice).to eq(3.months)
+      end
+    end
+
+    def build_stdin_without_query
+      StringIO.new.tap do |io|
+        allow(io).to receive(:tty?).and_return(true)
+      end
+    end
+
+    def build_stdin_with_query(query)
+      StringIO.new(query)
+    end
+  end
+
+  describe '.parse_duration' do
+    it 'parses min as minutes' do
+      expect(QueryCloudwatch.parse_duration('1111min')).to eq(1111.minutes)
+    end
+
+    it 'parses h as hours' do
+      expect(QueryCloudwatch.parse_duration('2h')).to eq(2.hours)
+    end
+
+    it 'parses d as days' do
+      expect(QueryCloudwatch.parse_duration('3d')).to eq(3.days)
+    end
+
+    it 'parses w as weeks' do
+      expect(QueryCloudwatch.parse_duration('4w')).to eq(4.weeks)
+    end
+
+    it 'parses mon as months' do
+      expect(QueryCloudwatch.parse_duration('5mon')).to eq(5.months)
+    end
+
+    it 'parses y as years' do
+      expect(QueryCloudwatch.parse_duration('6y')).to eq(6.years)
+    end
+
+    it 'is nil for unknown' do
+      expect(QueryCloudwatch.parse_duration('7x')).to be_nil
+    end
+  end
+
+  describe '#run' do
+    let(:format) { :csv }
+    let(:config) do
+      QueryCloudwatch::Config.new(
+        group: 'foobar',
+        slice: 1.week,
+        from: 2.days.ago,
+        to: Time.zone.now,
+        progress: false,
+        wait_duration: 0,
+        query: 'fields @timestamp, @message',
+        format: format,
+      )
+    end
+    let(:query_cloudwatch) { QueryCloudwatch.new(config) }
+    let(:stdout) { StringIO.new }
+    subject(:run) { query_cloudwatch.run(stdout:) }
+
+    before do
+      Aws.config[:cloudwatchlogs] = {
+        stub_responses: {
+          start_query: [
+            { query_id: '123abc' },
+          ],
+          get_query_results: [
+            {
+              status: 'Complete',
+              results: [
+                [
+                  { field: '@timestamp', value: 'timestamp-1' },
+                  { field: '@message', value: 'message-1' },
+                ],
+                [
+                  { field: '@timestamp', value: 'timestamp-2' },
+                  { field: '@message', value: 'message-2' },
+                ],
+              ],
+            },
+          ],
+        },
+      }
+    end
+
+    it 'outputs a csv format' do
+      run
+      expect(stdout.string).to eq <<~STR
+        timestamp-1,message-1
+        timestamp-2,message-2
+      STR
+    end
+
+    context 'with a json format' do
+      let(:format) { :json }
+
+      it 'outputs newline deliminated json' do
+        run
+        expect(stdout.string).to eq <<~STR
+          {"@timestamp":"timestamp-1","@message":"message-1"}
+          {"@timestamp":"timestamp-2","@message":"message-2"}
+        STR
+      end
+    end
+  end
+end
diff --git a/spec/lib/reporting/cloudwatch_client_spec.rb b/spec/lib/reporting/cloudwatch_client_spec.rb
index c7552ced12b..468753704ed 100644
--- a/spec/lib/reporting/cloudwatch_client_spec.rb
+++ b/spec/lib/reporting/cloudwatch_client_spec.rb
@@ -20,12 +20,6 @@
     )
   end
 
-  let(:stubbed_aws_sdk_client) { Aws::CloudWatchLogs::Client.new(stub_responses: true) }
-
-  before do
-    allow(client).to receive(:aws_client).and_return(stubbed_aws_sdk_client)
-  end
-
   describe '#fetch' do
     let(:from) { 3.days.ago }
     let(:to) { 1.day.ago }
@@ -46,21 +40,22 @@ def to_result_fields(hsh)
     def stub_single_page
       query_id = SecureRandom.hex
 
-      stubbed_aws_sdk_client.stub_responses(:start_query, { query_id: query_id })
-      stubbed_aws_sdk_client.stub_responses(
-        :get_query_results,
-        {
-          status: 'Complete',
-          results: [
-            # rubocop:disable Layout/LineLength
-            to_result_fields('@message' => 'aaa', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
-            to_result_fields('@message' => 'bbb', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
-            to_result_fields('@message' => 'ccc', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
-            to_result_fields('@message' => 'ddd', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
-            # rubocop:enable Layout/LineLength
-          ],
+      Aws.config[:cloudwatchlogs] = {
+        stub_responses: {
+          start_query: { query_id: query_id },
+          get_query_results: {
+            status: 'Complete',
+            results: [
+              # rubocop:disable Layout/LineLength
+              to_result_fields('@message' => 'aaa', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
+              to_result_fields('@message' => 'bbb', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
+              to_result_fields('@message' => 'ccc', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
+              to_result_fields('@message' => 'ddd', '@timestamp' => now.iso8601, '@ptr' => SecureRandom.hex),
+              # rubocop:enable Layout/LineLength
+            ],
+          },
         },
-      )
+      }
     end
 
     context ':slice_interval is falsy' do
@@ -120,6 +115,25 @@ def stub_single_page
       )
     end
 
+    it 'yields each row to the block and returns nil with a block' do
+      stub_single_page
+
+      results = []
+      direct_return = client.fetch(query:, from:, to:, time_slices:) do |row|
+        results << row
+      end
+
+      expect(direct_return).to be_nil
+      expect(results).to match_array(
+        [
+          { '@message' => 'aaa', '@timestamp' => now.iso8601 },
+          { '@message' => 'bbb', '@timestamp' => now.iso8601 },
+          { '@message' => 'ccc', '@timestamp' => now.iso8601 },
+          { '@message' => 'ddd', '@timestamp' => now.iso8601 },
+        ],
+      )
+    end
+
     context ':progress' do
       let(:progress) { StringIO.new }
 
@@ -139,41 +153,38 @@ def stub_single_page
       let(:to) { Time.zone.at(1000) }
 
       before do
-        stubbed_aws_sdk_client.stub_responses(
-          :start_query,
-          proc do |context|
-            start_time, end_time = context.params.values_at(:start_time, :end_time)
-
-            query_id = case [start_time, end_time]
-            when [1, 500]
-              'query_id_too_many_results'
-            when [501, 1000], [1, 249], [250, 500]
-              'query_id_normal_results'
-            else
-              raise "no start_query stub for start_time=#{start_time}, end_time=#{end_time}"
-            end
-
-            { query_id: }
-          end,
-        )
-
-        stubbed_aws_sdk_client.stub_responses(
-          :get_query_results,
-          proc do |context|
-            query_id = context.params[:query_id]
-
-            results = case query_id
-            when 'query_id_too_many_results'
-              10_001.times.map { to_result_fields('@message' => 'aaa') }
-            when 'query_id_normal_results'
-              333.times.map { to_result_fields('@message' => 'aaa') }
-            else
-              raise "Unknown query_id=#{query_id}"
-            end
-
-            { status: 'Complete', results: }
-          end,
-        )
+        Aws.config[:cloudwatchlogs] = {
+          stub_responses: {
+            start_query: proc do |context|
+              start_time, end_time = context.params.values_at(:start_time, :end_time)
+
+              query_id = case [start_time, end_time]
+              when [1, 500]
+                'query_id_too_many_results'
+              when [501, 1000], [1, 249], [250, 500]
+                'query_id_normal_results'
+              else
+                raise "no start_query stub for start_time=#{start_time}, end_time=#{end_time}"
+              end
+
+              { query_id: }
+            end,
+            get_query_results: proc do |context|
+              query_id = context.params[:query_id]
+
+              results = case query_id
+              when 'query_id_too_many_results'
+                10_001.times.map { to_result_fields('@message' => 'aaa') }
+              when 'query_id_normal_results'
+                333.times.map { to_result_fields('@message' => 'aaa') }
+              else
+                raise "Unknown query_id=#{query_id}"
+              end
+
+              { status: 'Complete', results: }
+            end,
+          },
+        }
       end
 
       it 'slices by interval and recurses as needed to get full results' do
@@ -185,13 +196,14 @@ def stub_single_page
 
     context 'query is before Cloudwatch Insights Availability and AWS errors' do
       before do
-        stubbed_aws_sdk_client.stub_responses(
-          :start_query,
-          Aws::CloudWatchLogs::Errors::InvalidParameterException.new(
-            nil,
-            'End time should not be before the service was generally available',
-          ),
-        )
+        Aws.config[:cloudwatchlogs] = {
+          stub_responses: {
+            start_query: Aws::CloudWatchLogs::Errors::InvalidParameterException.new(
+              nil,
+              'End time should not be before the service was generally available',
+            ),
+          },
+        }
       end
 
       it 'logs a warning and returns an empty array for that range' do
diff --git a/spec/simplecov_merger.rb b/spec/simplecov_merger.rb
index 97cfea2c09f..5ef930e888a 100755
--- a/spec/simplecov_merger.rb
+++ b/spec/simplecov_merger.rb
@@ -4,7 +4,7 @@
 
 module SimpleCov
   module ResultMerger
-    RSPEC_FILENAME_REGEX = %r{^(?<filename>[_\w\d/.]+\.rb)}
+    RSPEC_FILENAME_REGEX = %r{^(?<filename>[-_\w\d/.]+(?<extension>\.rb)?)}
     def self.merging!
       SimplecovHelper.configure
       fix_gitlab_paths if ENV['GITLAB_CI']
@@ -41,7 +41,7 @@ def self.merge_json_reports
       File.write('rspec_json/rspec.json', merged_hash.to_json)
 
       knapsack = merged_hash['examples'].group_by do |x|
-        RSPEC_FILENAME_REGEX.match(x['id'][2..])['filename']
+        RSPEC_FILENAME_REGEX.match(x['id'][2..])[:filename]
       end.map do |filename, examples|
         [filename, examples.map { |x| x['run_time'] }.sum]
       end.sort.to_h