---
title: Query BYOC Logs with the Datadog MCP Server
description: >-
  Learn how to query logs stored in BYOC Logs indexes using the Datadog MCP
  server
breadcrumbs: >-
  Docs > BYOC Logs > BYOC Logs Guides > Query BYOC Logs with the Datadog MCP
  Server
---

# Query BYOC Logs with the Datadog MCP Server

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

{% callout %}
##### BYOC Logs is in Preview

Join the BYOC Logs Preview to access new self-hosted log management features.

[Request Access](https://www.datadoghq.com/product-preview/cloudprem/)
{% /callout %}

## Overview{% #overview %}

The [Datadog MCP (Model Context Protocol) server](https://docs.datadoghq.com/bits_ai/mcp_server.md) allows you to query your Datadog logs, including logs stored in BYOC Logs indexes, directly through AI-powered tools and integrations. Querying BYOC Logs with the Datadog MCP server unlocks several valuable capabilities, including:

- **Unified, Context-Aware Troubleshooting**: Query and correlate logs, metrics, and traces from any environment in one place, and pivot across telemetry types to identify root causes faster.
- **Natural Language Interaction**: Ask plain-language questions, and let AI generate the appropriate log queries without needing to remember syntax.

## Prerequisites{% #prerequisites %}

- A running BYOC Logs deployment with logs ingested.
- Access to the [Datadog MCP server](https://docs.datadoghq.com/bits_ai/mcp_server.md). «««< fmassot/byoc-indexes-rename
- Your BYOC index name (visible in the [Datadog Log Explorer](https://app.datadoghq.com/logs) under **BYOC INDEXES**). =======
- Your BYOC Logs index name (visible in the [Datadog Log Explorer](https://app.datadoghq.com/logs) under CLOUDPREM INDEXES).

master

## Querying BYOC Logs{% #querying-byoc-logs %}

To query logs stored in BYOC Logs indexes, you **must** specify two critical parameters in addition to your standard log query:

- (Required) **`indexes`**: The name(s) of your BYOC Logs index(es).
- (Required) **`storage_tier`**: Must be set to `"cloudprem"`.

Without both parameters, queries will default to searching standard Datadog log indexes instead of BYOC Logs.

For best results, your prompt **should also include**:

- (Recommended) Time range (for example, "in the last hour", "from the last 24 hours").
- (Recommended) Query filters (service, status, log content).

### Query parameters{% #query-parameters %}

The following table describes the key parameters used when querying logs with the MCP server:

| Parameter      | Description                                                 | Example                                                |
| -------------- | ----------------------------------------------------------- | ------------------------------------------------------ |
| `query`        | Log search query using Datadog query syntax                 | `"*"` (all logs), `"service:web"`, `"status:error"`    |
| `indexes`      | Array of BYOC Logs index names to search                    | `["cloudprem--dev--main"]`                             |
| `storage_tier` | Storage tier to query (must be `"cloudprem"` for BYOC Logs) | `"cloudprem"`                                          |
| `from`         | Start time for the query                                    | `"now-1h"`, `"now-24h"`, `"2024-01-15T00:00:00Z"`      |
| `to`           | End time for the query                                      | `"now"`, `"2024-01-15T23:59:59Z"`                      |
| `sort`         | Sort order for results                                      | `"-timestamp"` (descending), `"timestamp"` (ascending) |

For examples of parameter and natural language queries, see Advanced query examples.

### Finding your BYOC Logs index name{% #finding-your-byoc-logs-index-name %}

To find your BYOC Logs index name:

1. Navigate to the [Datadog Log Explorer](https://app.datadoghq.com/logs). «««< fmassot/byoc-indexes-rename
1. Look for the **BYOC INDEXES** section in the left facet panel.
1. Your CloudPrem indexes are listed there, in the format `cloudprem--<cluster_name>--<index_name>`. =======
1. Look for the CLOUDPREM INDEXES section in the left facet panel.
1. Your BYOC Logs indexes are listed there, in the format `cloudprem--<cluster_name>--<index_name>`.

master

You can also find your index names in the [BYOC Logs console](https://app.datadoghq.com/cloudprem) by selecting a cluster and clicking View Indexes.

## Advanced query examples{% #advanced-query-examples %}

When using AI-powered tools with the Datadog MCP server, you can ask questions in natural language. The MCP server will automatically translate these into properly formatted BYOC Logs queries.

### Error logs from a specific service{% #error-logs-from-a-specific-service %}

**Prompt**: "Show me error logs from the nginx service in the cloudprem–dev–main index in the last hour."

**Translates to**:

```json
{
  "query": "service:nginx status:error",
  "indexes": ["cloudprem--dev--main"],
  "storage_tier": "cloudprem",
  "from": "now-1h",
  "to": "now"
}
```

### Search for specific log content{% #search-for-specific-log-content %}

**Prompt**: "Find logs containing 'connection timeout' from the API service in cloudprem–prod–main from the last 24 hours."

**Translates to**:

```json
{
  "query": "service:api \"connection timeout\"",
  "indexes": ["cloudprem--prod--main"],
  "storage_tier": "cloudprem",
  "from": "now-24h",
  "to": "now"
}
```

### Filter by HTTP status code{% #filter-by-http-status-code %}

**Prompt**: "Get all 500 status code logs from the cloudprem–prod–main index in the last day."

**Translates to**:

```json
{
  "query": "status:500",
  "indexes": ["cloudprem--prod--main"],
  "storage_tier": "cloudprem",
  "from": "now-1d",
  "to": "now"
}
```

## Important notes{% #important-notes %}

- **Both `storage_tier` and `indexes` are required** when querying BYOC Logs. Without these parameters, queries will search standard Datadog indexes instead.
- `storage_tier` must always be set to `"cloudprem"`.
- The `indexes` parameter must contain valid BYOC Logs index names (in the format `cloudprem--<cluster_name>--<index_name>`).
- When using natural language queries, explicitly mention your BYOC Logs index name in your prompt.
- BYOC Logs data is queryable in real-time as soon as it is indexed.
- Query syntax follows standard [Datadog log search syntax](https://docs.datadoghq.com/logs/explorer/search_syntax.md).

## Further reading{% #further-reading %}

- [Introducing the Datadog MCP server](https://www.datadoghq.com/blog/datadog-remote-mcp-server/)
- [Datadog Extension for VS Code & Cursor](https://docs.datadoghq.com/ide_plugins/vscode.md?tab=cursor#installation)
- [Search Logs in BYOC Logs](https://docs.datadoghq.com/cloudprem/operate/search_logs.md)