DataDog log search syntax

Suppose we want to find some log entry in DataDog. In this article you’ll find the answers to these questions:

  • datadog log search
  • datadog log search syntax
  • datadog query logs
  • datadog query language
  • how to use wildcards datadog logs
  • how to exclude word datadog
  • how to exclude by wildcard datadog

First of all, there is an official doc: https://docs.datadoghq.com/logs/explorer/search_syntax.

However, from my point of view, this page is not entirely clear; there are still a number of blind spots.

There are two types of searches: searches by specific field or searches by “general log line”.

  • If you have ordinary text-based log entries, then you should type the search query as it is: your-search-query.
  • If you have json-based log entries, then you should type your search query after “at” symbol, followed by the field name and colon: @fieldName:your-search-query.

Suppose we want to find this log entry: service call completed.

Rules for text-based log entries

  1. You must either use complete words (that a part of your log entry sentense), or wildcards. It means that you cannot find log entry shown above by searching servi or service call comp.
    You have to type full words: service, service call completed or use wildcards: servi*, service call comp*.
  2. You should not use quotes and wildcards together. It means that you cannot find that log entry by searching "servi" or "service call comp".
    You should type servi*, service call comp*, or full-words (quotes are optional in this case): "service" or "service call completed".
  3. If you want to show all log entries, that don’t have specific word, you should add dash symbol before that word: -"word".
    If you want to find log entries, that do not have few words, then you should either surround them in quotes and add dash to the beginning like -"you-unwanted-text-here", or you should escape all spaces with backslash (still adding dash sign): -your\ unwanted\ sentense.

Rules for json-based log entries

  1. You should use either complete log entry sentence surrounded by quotas or wildcards (but keeping in mind rule number two from this section). It means you should use @fieldName:"service call completed", or @fieldName:service*.
  2. You should escape spaces with backslash if you are querying json-based log entry and you don’t use quotes. For example: @fieldName:service\ call\ comp*, or @fieldName:service\ call\ completed.
  3. You should apply rule number one and rule number two from current section to third rule of text-based log entries section.
Telegram channel

If you still have any questions, feel free to ask me in the comments under this article or write me at promark33@gmail.com.

If I saved your day, you can support me 🤝

Leave a Reply

Your email address will not be published. Required fields are marked *

                   Mark Chesnavsky. Email me or connect via LinkedIn.