Query BYOC Logs with the Datadog MCP Server
Join the Preview!
BYOC Logs is in Preview.
Overview
The Datadog MCP (Model Context Protocol) server allows you to query your Datadog logs, including logs stored in BYOC Logs indexes, directly through AI-powered tools and integrations. Querying BYOC Logs with the Datadog MCP server unlocks several valuable capabilities, including:
- Unified, Context-Aware Troubleshooting: Query and correlate logs, metrics, and traces from any environment in one place, and pivot across telemetry types to identify root causes faster.
- Natural Language Interaction: Ask plain-language questions, and let AI generate the appropriate log queries without needing to remember syntax.
Prerequisites
Querying BYOC Logs
To query logs stored in BYOC Logs indexes, you must specify two critical parameters in addition to your standard log query:
- (Required)
indexes: The name(s) of your BYOC Logs index(es). - (Required)
storage_tier: Must be set to "cloudprem".
Without both parameters, queries will default to searching standard Datadog log indexes instead of BYOC Logs.
For best results, your prompt should also include:
- (Recommended) Time range (for example, “in the last hour”, “from the last 24 hours”).
- (Recommended) Query filters (service, status, log content).
Query parameters
The following table describes the key parameters used when querying logs with the MCP server:
| Parameter | Description | Example |
|---|
query | Log search query using Datadog query syntax | "*" (all logs), "service:web", "status:error" |
indexes | Array of BYOC Logs index names to search | ["byoc--dev--main"] |
storage_tier | Storage tier to query (must be "cloudprem" for BYOC Logs) | "cloudprem" |
from | Start time for the query | "now-1h", "now-24h", "2024-01-15T00:00:00Z" |
to | End time for the query | "now", "2024-01-15T23:59:59Z" |
sort | Sort order for results | "-timestamp" (descending), "timestamp" (ascending) |
For examples of parameter and natural language queries, see Advanced query examples.
Finding your BYOC Logs index name
To find your BYOC Logs index name:
- Navigate to the Datadog Log Explorer.
- Look for the BYOC INDEXES section in the left facet panel.
- Your BYOC Logs indexes are listed there, in the format
byoc--<cluster_name>--<index_name>.
You can also find your index names in the BYOC Logs console by selecting a cluster and clicking View Indexes.
Advanced query examples
When using AI-powered tools with the Datadog MCP server, you can ask questions in natural language. The MCP server will automatically translate these into properly formatted BYOC Logs queries.
Error logs from a specific service
Prompt:
“Show me error logs from the nginx service in the byoc–dev–main index in the last hour.”
Translates to:
{
"query": "service:nginx status:error",
"indexes": ["byoc--dev--main"],
"storage_tier": "cloudprem",
"from": "now-1h",
"to": "now"
}
Search for specific log content
Prompt:
“Find logs containing ‘connection timeout’ from the API service in byoc–prod–main from the last 24 hours.”
Translates to:
{
"query": "service:api \"connection timeout\"",
"indexes": ["byoc--prod--main"],
"storage_tier": "cloudprem",
"from": "now-24h",
"to": "now"
}
Filter by HTTP status code
Prompt:
“Get all 500 status code logs from the byoc–prod–main index in the last day.”
Translates to:
{
"query": "status:500",
"indexes": ["byoc--prod--main"],
"storage_tier": "cloudprem",
"from": "now-1d",
"to": "now"
}
Important notes
- Both
storage_tier and indexes are required when querying BYOC Logs. Without these parameters, queries will search standard Datadog indexes instead. storage_tier must always be set to "cloudprem".- The
indexes parameter must contain valid BYOC Logs index names (in the format byoc--<cluster_name>--<index_name>). - When using natural language queries, explicitly mention your BYOC Logs index name in your prompt.
- BYOC Logs data is queryable in real-time as soon as it is indexed.
- Query syntax follows standard Datadog log search syntax.
Further reading
Additional helpful documentation, links, and articles:
