Logs
Security Monitoring is now available Security Monitoring is now available

Logs

Send your logs to your Datadog platform over HTTP. Limits per HTTP request are:

  • Maximum content size per payload: 5MB
  • Maximum size for a single log: 256kB
  • Maximum array size if sending multiple logs in an array: 500 entries

Any log exceeding 256KB is accepted and truncated by Datadog: - For a single log request, the API truncates the log at 256KB and returns a 2xx. - For a multi-logs request, the API processes all logs, truncates only logs larger than 256KB, and returns a 2xx.

Note: If you are in the Datadog EU site (app.datadoghq.eu), the HTTP log endpoint is http-intake.logs.datadoghq.eu.

Get a list of logs

post https://api.datadoghq.comhttps://api.datadoghq.eu/api/v1/logs-queries/list

Overview

List endpoint returns logs that match a log search query. Results are paginated.

If you are considering archiving logs for your organization, consider use of the Datadog archive capabilities instead of the log list API. See Datadog Logs Archive documentation.

Request

Body Data (required)

Logs filter

Expand All

Field

Type

Description

index

string

For multi-index organizations, the log index in which the request is performed.

limit

int32

Number of logs return in the response.

query [required]

string

The search query - following the log search syntax.

sort

enum

Time-ascending asc or time-descending descresults. Allowed enum values: asc,desc

startAt

string

Hash identifier of the first log to return in the list, available in a log id attribute. This parameter is used for the pagination feature.

Note: This parameter is ignored if the corresponding log is out of the scope of the specified time window.

time [required]

object

Timeframe to retrieve the log from.

from [required]

date-time

Minimum timestamp for requested logs.

timezone

string

Timezone can be specified both as an offset (e.g. "UTC+03:00") or a regional zone (e.g. "Europe/Paris").

to [required]

date-time

Maximum timestamp for requested logs.

{
  "index": "string",
  "limit": "integer",
  "query": "service:web* AND @http.status_code:[200 TO 299]",
  "sort": "string",
  "startAt": "string",
  "time": {
    "from": "2020-02-02T02:02:02+00:00",
    "timezone": "string",
    "to": "2020-02-20T20:20:20+00:00"
  }
}

Response

OK

Response object with all logs matching the request and pagination information.

Expand All

Field

Type

Description

logs

[object]

Array of logs matching the request and the nextLogId if sent.

content

object

JSON object containing all log attributes and their associated values.

attributes

object

JSON object of attributes from your log.

host

string

Name of the machine from where the logs are being sent.

message

string

The message reserved attribute of your log. By default, Datadog ingests the value of the message attribute as the body of the log entry. That value is then highlighted and displayed in the Logstream, where it is indexed for full text search.

service

string

The name of the application or service generating the log events. It is used to switch from Logs to APM, so make sure you define the same value when you use both products.

tags

array

Array of tags associated with your log.

timestamp

date-time

Timestamp of your log.

id

string

Unique ID of the Log.

nextLogId

string

Hash identifier of the next log to return in the list. This parameter is used for the pagination feature.

status

string

Status of the response.

{
  "logs": [
    {
      "content": {
        "attributes": [
          {}
        ],
        "host": "i-0123",
        "message": "Host connected to remote",
        "service": "agent",
        "tags": [
          "team:A"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA"
    }
  ],
  "nextLogId": "string",
  "status": "string"
}

Bad Request

Response returned by the Logs API when errors occur.

Expand All

Field

Type

Description

error

object

Error returned by the Logs API

code

string

Code identifying the error

details

[object]

Additional error details

message

string

Error message

{
  "error": {
    "code": "string",
    "details": [],
    "message": "string"
  }
}

Authentication error

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


                                        # Curl command
curl -X post https://api.datadoghq.comhttps://api.datadoghq.eu/api/v1/logs-queries/list \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}" \
-d @- << EOF
{
  "query": "service:web* AND @http.status_code:[200 TO 299]",
  "time": {
    "from": "2020-02-02T02:02:02+00:00",
    "to": "2020-02-20T20:20:20+00:00"
  }
}
EOF

                                        

Send logs

post https://http-intake.logs.datadoghq.comhttps://http-intake.logs.datadoghq.eu/v1/input

Overview

Send your logs to your Datadog platform over HTTP. Limits per HTTP request are as follows. - Maximum content size per payload is 5MB. - Maximum size for a single log is 256kB. - Maximum array size if sending multiple logs in an array is 500 entries.

Any log exceeding 256KB is accepted and truncated by server - For a single log request, the API truncates the log at 256KB and returns a 2xx. - For a multi-logs request, the API processes all logs, truncates only logs larger than 256KB, and returns a 2xx.

Note: If you are in the Datadog EU site (app.datadoghq.eu), the HTTP log endpoint is http-intake.logs.datadoghq.eu.

Request

Body Data (required)

Log to send (JSON format).

Expand All

Field

Type

Description

ddsource

string

The integration name associated with your log: the technology from which the log originated. When it matches an integration name, Datadog automatically installs the corresponding parsers and facets. See reserved attribute.

ddtags

string

Tags associated with your logs.

hostname

string

The name of the originating host of the log.

message

string

The message reserved attribute of your log. By default, Datadog ingests the value of the message attribute as the body of the log entry. That value is then highlighted and displayed in the Logstream, where it is indexed for full text search.

{
  "ddsource": "nginx",
  "ddtags": "env:staging,service:payment",
  "hostname": "i-012345678",
  "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
}

Response

Response from server (always 200 empty JSON).

Expand All

Field

Type

Description

No response body

{}

unexpected error

Invalid query performed.

Expand All

Field

Type

Description

code [required]

int32

Error code.

message [required]

string

Error message.

{
  "code": "integer",
  "message": "string"
}

Code Example


                                        # Curl command
curl -X post https://http-intake.logs.datadoghq.comhttps://http-intake.logs.datadoghq.eu/v1/input \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-d @- << EOF
{}
EOF