By default, a CloudPrem cluster stores all logs in a single index with a single retention policy. With multiple indexes, you can segment logs by defining filter queries and assigning a different retention period to each index. For example, you can retain audit logs for 1 year while keeping debug logs for only 3 days.

To view and manage your CloudPrem indexes, navigate to the CloudPrem page in Datadog. Select a cluster and click View Indexes to access the index configuration.

Indexes filters

When a log is ingested, CloudPrem evaluates each index’s filter from top to bottom and routes the log to the first matching index. This means index order matters:

• Place indexes with more specific filters above indexes with broader filters. For example, source:security env:production should appear above source:security.
• A catch-all index with a * filter at the bottom ensures that no logs are dropped.
• A log matches at most one index.

You can reorder indexes at any time by dragging rows or using the Move to action.

Retention per index

Each index has its own retention period, which determines how long logs are stored before automatic deletion.

Searching across indexes

To query logs stored in CloudPrem, select one or more CloudPrem indexes in the Log Explorer. You can select a specific index to narrow your search, or select all indexes in a cluster to search across them. From the index configuration page, use View in Log Explorer to open a filtered view for a given index.

For more information, see Search CloudPrem Logs.

Further reading

Additional helpful documentation, links, and articles:

Configure Processing PipelinesDOCUMENTATION Search LogsDOCUMENTATION