DDSQL Reference

Available for:

DDSQL Editor | Notebooks

Overview

DDSQL is SQL for Datadog data. It implements several standard SQL operations, such as SELECT, and allows queries against unstructured data. You can perform actions like getting exactly the data you want by writing your own SELECT statement, or querying tags as if they are standard table columns.

This documentation covers the SQL support available and includes:

Example workspace cell with SQL syntax

Syntax

The following SQL syntax is supported:

SyntaxDescriptionExample
SELECT (DISTINCT)
DISTINCT: Optional		Retrieves rows from a database, with DISTINCT filtering out duplicate records.
SELECT DISTINCT customer_id
FROM orders
JOINCombines rows from two or more tables based on a related column between them. Supports FULL JOIN, INNER JOIN, LEFT JOIN, RIGHT JOIN.
SELECT orders.order_id, customers.customer_name
FROM orders
JOIN customers
ON orders.customer_id = customers.customer_id
GROUP BYGroups rows that have the same values in specified columns into summary rows.
SELECT product_id, SUM(quantity)
FROM sales
GROUP BY product_id
|| (concat)Concatenates two or more strings together.
SELECT first_name || ' ' || last_name AS full_name
FROM employees
WHERE
Includes support for LIKE, IN, ON, OR filters.		Filters records that meet a specified condition.
SELECT *
FROM employees
WHERE department = 'Sales' AND name LIKE 'J%'
CASEProvides conditional logic to return different values based on specified conditions.
SELECT order_id,
  CASE
    WHEN quantity > 10 THEN 'Bulk Order'
    ELSE 'Standard Order'
  END AS order_type
FROM orders
WINDOWPerforms a calculation across a set of table rows that are related to the current row.
SELECT
  timestamp,
  service_name,
  cpu_usage_percent,
  AVG(cpu_usage_percent) OVER (PARTITION BY service_name ORDER BY timestamp ROWS BETWEEN 2 PRECEDING AND CURRENT ROW) AS moving_avg_cpu
FROM
  cpu_usage_data
IS NULL / IS NOT NULLChecks if a value is null or not null.
SELECT *
FROM orders
WHERE delivery_date IS NULL
LIMITSpecifies the maximum number of records to return.
SELECT *
FROM customers
LIMIT 10
ORDER BYSorts the result set of a query by one or more columns. Includes ASC, DESC for sorting order.
SELECT *
FROM sales
ORDER BY sale_date DESC
HAVINGFilters records that meet a specified condition after grouping.
SELECT product_id, SUM(quantity)
FROM sales
GROUP BY product_id
HAVING SUM(quantity) > 10
IN, ON, ORUsed for specified conditions in queries. Available in WHERE, JOIN clauses.
SELECT *
FROM orders
WHERE order_status IN ('Shipped', 'Pending')
USINGThis clause is a shorthand for joins where the join columns have the same name in both tables. It takes a comma-separated list of those columns and creates a separate equality condition for each matching pair. For example, joining T1 and T2 with USING (a, b) is equivalent to ON T1.a = T2.a AND T1.b = T2.b.
SELECT orders.order_id, customers.customer_name
FROM orders
JOIN customers
USING (customer_id)
ASRenames a column or table with an alias.
SELECT first_name AS name
FROM employees
Arithmetic OperationsPerforms basic calculations using operators like +, -, *, /.
SELECT price, tax, (price * tax) AS total_cost
FROM products
INTERVAL value unitintervalRepresents a time duration specified in a given unit. Supported units:
- milliseconds / millisecond
- seconds / second
- minutes / minute
- hours / hour
- days / day

Data types

DDSQL supports the following data types:

Data TypeDescription
BIGINT64-bit signed integers.
BOOLEANtrue or false values.
DOUBLEDouble-precision floating-point numbers.
INTERVALTime duration values.
JSONJSON data.
TIMESTAMPDate and time values.
VARCHARVariable-length character strings.

Array types

All data types support array types. Arrays can contain multiple values of the same data type.

Type literals

DDSQL supports explicit type literals using the syntax [TYPE] [value].

TypeSyntaxExample
BIGINTBIGINT valueBIGINT 1234567
BOOLEANBOOLEAN valueBOOLEAN true
DOUBLEDOUBLE valueDOUBLE 3.14159
INTERVALINTERVAL 'value unit'INTERVAL '30 minutes'
JSONJSON 'value'JSON '{"key": "value", "count": 42}'
TIMESTAMPTIMESTAMP 'value'TIMESTAMP '2023-12-25 10:30:00'
VARCHARVARCHAR 'value'VARCHAR 'hello world'

The type prefix can be omitted and the type is automatically inferred from the value. For example, 'hello world' is inferred as VARCHAR, 123 as BIGINT, and true as BOOLEAN. Use explicit type prefixes when values could be ambiguous; for example,TIMESTAMP '2025-01-01' would be inferred as VARCHAR without the prefix.

Array literals

Array literals use the syntax ARRAY[value1, value2, ...]. The array type is automatically inferred from the values.

SELECT ARRAY['apple', 'banana', 'cherry'] AS fruits; -- Inferred as VARCHAR array
SELECT ARRAY[1, 2, 3] AS numbers;                    -- Inferred as BIGINT array
SELECT ARRAY[true, false, true] AS flags;            -- Inferred as BOOLEAN array
SELECT ARRAY[1.1, 2.2, 3.3] AS decimals;             -- Inferred as DOUBLE array

Example

-- Using type literals in queries
SELECT
    VARCHAR 'Product Name: ' || name AS labeled_name,
    price * DOUBLE 1.08 AS price_with_tax,
    created_at + INTERVAL '7 days' AS expiry_date
FROM products
WHERE created_at > TIMESTAMP '2025-01-01';

Functions

The following SQL functions are supported. For Window function, see the separate Window function section in this documentation.

FunctionReturn TypeDescription
MIN(variable v)typeof vReturns the smallest value in a set of data.
MAX(variable v)typeof vReturns the maximum value across all input values.
COUNT(any a)numericReturns the number of input values that are not null.
SUM(numeric n)numericReturns the summation across all input values.
AVG(numeric n)numericReturns the average value (arithmetic mean) across all input values.
CEIL(numeric n)numericReturns the value rounded up to the nearest integer.
FLOOR(numeric n)numericReturns the value rounded down to the nearest integer.
ROUND(numeric n)numericReturns the value rounded to the nearest integer.
LOWER(string s)stringReturns the string as lowercase.
UPPER(string s)stringReturns the string as uppercase.
ABS(numeric n)numericReturns the absolute value.
COALESCE(args a)typeof first non-null a OR nullReturns the first non-null value or null if all are null.
CAST(value AS type)typeConverts the given value to the specified data type.
LENGTH(string s)integerReturns the number of characters in the string.
TRIM(string s)stringRemoves leading and trailing whitespace from the string.
REPLACE(string s, string from, string to)stringReplaces occurrences of a substring within a string with another substring.
SUBSTRING(string s, int start, int length)stringExtracts a substring from a string, starting at a given position and for a specified length.
STRPOS(string s, string substring)integerReturns the first index position of the substring in a given string, or 0 if there is no match.
SPLIT_PART(string s, string delimiter, integer index)stringSplits the string on the given delimiter and returns the string at the given position counting from one.
EXTRACT(unit from timestamp/interval)numericExtracts a part of a date or time field (such as year or month) from a timestamp or interval.
TO_TIMESTAMP(string timestamp, string format)timestampConverts a string to a timestamp according to the given format.
TO_CHAR(timestamp t, string format)stringConverts a timestamp to a string according to the given format.
DATE_TRUNC(string unit, timestamp t)timestampTruncates a timestamp to a specified precision based on the provided unit.
CURRENT_SETTING(string setting_name)stringReturns the current value of the specified setting. Supports the parameters dd.time_frame_start and dd.time_frame_end, which return the start and end of the global time frame, respectively.
NOW()timestampReturns the current timestamp at the start of the current query.
CARDINALITY(array a)integerReturns the number of elements in the array.
ARRAY_POSITION(array a, typeof_array value)integerReturns the index of the first occurrence of the value found in the array, or null if value is not found.
STRING_TO_ARRAY(string s, string delimiter)array of stringsSplits the given string into an array of strings using the given delimiter.
ARRAY_AGG(expression e)array of input typeCreates an array by collecting all the input values.
UNNEST(array a [, array b...])rows of a [, b…]Expands arrays into a set of rows. This form is only allowed in a FROM clause.

MIN

SELECT MIN(response_time) AS min_response_time
FROM logs
WHERE status_code = 200

MAX

SELECT MAX(response_time) AS max_response_time
FROM logs
WHERE status_code = 200

COUNT

SELECT COUNT(request_id) AS total_requests
FROM logs
WHERE status_code = 200

SUM

SELECT SUM(bytes_transferred) AS total_bytes
FROM logs
GROUP BY service_name

AVG

SELECT AVG(response_time)
AS avg_response_time
FROM logs
WHERE status_code = 200
GROUP BY service_name

CEIL

SELECT CEIL(price) AS rounded_price
FROM products

FLOOR

SELECT FLOOR(price) AS floored_price
FROM products

ROUND

SELECT ROUND(price) AS rounded_price
FROM products

LOWER

SELECT LOWER(customer_name) AS lowercase_name
FROM customers

UPPER

SELECT UPPER(customer_name) AS uppercase_name
FROM customers

ABS

SELECT ABS(balance) AS absolute_balance
FROM accounts

COALESCE

SELECT COALESCE(phone_number, email) AS contact_info
FROM users

CAST

Supported cast target types:

  • BIGINT
  • DECIMAL
  • TIMESTAMP
  • VARCHAR
SELECT
  CAST(order_id AS VARCHAR) AS order_id_string,
  'Order-' || CAST(order_id AS VARCHAR) AS order_label
FROM
  orders

LENGTH

SELECT
  customer_name,
  LENGTH(customer_name) AS name_length
FROM
  customers

INTERVAL

SELECT
  TIMESTAMP '2023-10-01 10:00:00' + INTERVAL '30 days' AS future_date,
  INTERVAL '1 MILLISECOND 2 SECONDS 3 MINUTES 4 HOURS 5 DAYS'

TRIM

SELECT
  TRIM(name) AS trimmed_name
FROM
  users

REPLACE

SELECT
  REPLACE(description, 'old', 'new') AS updated_description
FROM
  products

SUBSTRING

SELECT
  SUBSTRING(title, 1, 10) AS short_title
FROM
  books

STRPOS

SELECT
  STRPOS('foobar', 'bar')

SPLIT_PART

SELECT
  SPLIT_PART('aaa-bbb-ccc', '-', 2)

EXTRACT

Supported extraction units:

LiteralInput TypeDescription
daytimestamp / intervalday of the month
dowtimestampday of the week 1 (Monday) to 7 (Sunday)
doytimestampday of the year (1 - 366)
hourtimestamp / intervalhour of the day (0 - 23)
minutetimestamp / intervalminute of the hour (0 - 59)
secondtimestamp / intervalsecond of the minute (0 - 59)
weektimestampweek of the year (1 - 53)
monthtimestampmonth of the year (1 - 12)
quartertimestampquarter of the year (1 - 4)
yeartimestampyear
timezone_hourtimestamphour of the time zone offset
timezone_minutetimestampminute of the time zone offset
SELECT
  EXTRACT(year FROM purchase_date) AS purchase_year
FROM
  sales

TO_TIMESTAMP

Supported patterns for date/time formatting:

PatternDescription
YYYYyear (4 digits)
YYyear (2 digits)
MMmonth number (01 - 12)
DDday of month (01 - 31)
HH24hour of day (00 - 23)
HH12hour of day (01 - 12)
HHhour of day (01 - 12)
MIminute (00 - 59)
SSsecond (00 - 59)
MSmillisecond (000 - 999)
TZtime-zone abbreviation
OFtime-zone offset from UTC
AM / ammeridiem indicator (without periods)
PM / pmmeridiem indicator (without periods)
SELECT
  TO_TIMESTAMP('25/12/2025 04:23 pm', 'DD/MM/YYYY HH:MI am') AS ts

TO_CHAR

Supported patterns for date/time formatting:

PatternDescription
YYYYyear (4 digits)
YYyear (2 digits)
MMmonth number (01 - 12)
DDday of month (01 - 31)
HH24hour of day (00 - 23)
HH12hour of day (01 - 12)
HHhour of day (01 - 12)
MIminute (00 - 59)
SSsecond (00 - 59)
MSmillisecond (000 - 999)
TZtime-zone abbreviation
OFtime-zone offset from UTC
AM / ammeridiem indicator (without periods)
PM / pmmeridiem indicator (without periods)
SELECT
  TO_CHAR(order_date, 'MM-DD-YYYY') AS formatted_date
FROM
  orders

DATE_TRUNC

Supported truncations:

  • milliseconds
  • seconds / second
  • minutes / minute
  • hours / hour
  • days / day
  • weeks / week
  • months / month
  • quarters / quarter
  • years / year
SELECT
  DATE_TRUNC('month', event_time) AS month_start
FROM
  events

CURRENT_SETTING

Supported setting parameters:

  • dd.time_frame_start: Returns the start of the selected time frame in RFC 3339 format (YYYY-MM-DD HH:mm:ss.sss±HH:mm).
  • dd.time_frame_end: Returns the end of the selected time frame in RFC 3339 format (YYYY-MM-DD HH:mm:ss.sss±HH:mm).
-- Define the current analysis window
WITH bounds AS (
  SELECT CAST(CURRENT_SETTING('dd.time_frame_start') AS TIMESTAMP) AS time_frame_start,
         CAST(CURRENT_SETTING('dd.time_frame_end')   AS TIMESTAMP) AS time_frame_end
),
-- Define the immediately preceding window of equal length
     previous_bounds AS (
  SELECT time_frame_start - (time_frame_end - time_frame_start) AS prev_time_frame_start,
         time_frame_start                                       AS prev_time_frame_end
  FROM bounds
)
SELECT * FROM bounds, previous_bounds

NOW

SELECT
  *
FROM
  sales
WHERE
  purchase_date > NOW() - INTERVAL '1 hour'

CARDINALITY

SELECT
  CARDINALITY(recipients)
FROM
  emails

ARRAY_POSITION

SELECT
  ARRAY_POSITION(recipients, 'hello@example.com')
FROM
  emails

STRING_TO_ARRAY

SELECT
  STRING_TO_ARRAY('a,b,c,d,e,f', ',')

ARRAY_AGG

SELECT
  sender,
  ARRAY_AGG(subject) subjects,
  ARRAY_AGG(ALL subject) all_subjects,
  ARRAY_AGG(DISTINCT subject) distinct_subjects
FROM
  emails
GROUP BY
  sender

UNNEST

SELECT
  sender,
  recipient
FROM
  emails,
  UNNEST(recipients) AS recipient

Regular expressions

Flavor

All regular expression (regex) functions use the International Components for Unicode (ICU) flavor:

Functions

FunctionReturn TypeDescription
REGEXP_LIKE(string input, string pattern)BooleanEvaluates whether a string matches a regular expression pattern.
REGEXP_MATCH(string input, string pattern [, string flags ])array of stringsReturns substrings of the first pattern match in the string.

This function searches the input string using the given pattern and returns captured substrings (capture groups) from the first match. If no capture groups are present, returns the full match.
REGEXP_REPLACE(string input, string pattern, string replacement [, string flags ])stringReplaces the substring that is the first match to the pattern, or all such matches if you use the optional g flag.
REGEXP_REPLACE (string input, string pattern, string replacement, integer start, integer N [, string flags ] )stringReplaces the substring that is the Nth match to the pattern, or all such matches if N is zero, starting from start.

REGEXP_LIKE

SELECT
  *
FROM
  emails
WHERE
  REGEXP_LIKE(email_address, '@example\.com$')

REGEXP_MATCH

SELECT regexp_match('foobarbequebaz', '(bar)(beque)');
-- {bar,beque}

SELECT regexp_match('foobarbequebaz', 'barbeque');
-- {barbeque}

SELECT regexp_match('abc123xyz', '([a-z]+)(\d+)(x(.)z)');
-- {abc,123,xyz,y}

REGEXP_REPLACE

SELECT regexp_replace('Auth success token=abc123XYZ789', 'token=\w+', 'token=***');
-- Auth success token=***

SELECT regexp_replace('status=200 method=GET', 'status=(\d+) method=(\w+)', '$2: $1');
-- GET: 200

SELECT regexp_replace('INFO INFO INFO', 'INFO', 'DEBUG', 1, 2);
-- INFO DEBUG INFO

Function-level flags

You can use the following flags with regular expression functions:

i
Case-insensitive matching
n or m
Newline-sensitive matching
g
Global; replace all matching substrings rather than only the first one

i flag

SELECT regexp_match('INFO', 'info')
-- NULL

SELECT regexp_match('INFO', 'info', 'i')
-- ['INFO']

n flag

SELECT regexp_match('a
b', '^b');
-- NULL

SELECT regexp_match('a
b', '^b', 'n');
-- ['b']

g flag

SELECT icu_regexp_replace('Request id=12345 completed, id=67890 pending', 'id=\d+', 'id=XXX');
-- Request id=XXX completed, id=67890 pending

SELECT regexp_replace('Request id=12345 completed, id=67890 pending', 'id=\d+', 'id=XXX', 'g');
-- Request id=XXX completed, id=XXX pending

Window functions

This table provides an overview of the supported window functions. For comprehensive details and examples, see the PostgreSQL documentation.

FunctionReturn TypeDescription
OVERN/ADefines a window for a set of rows for other window functions to operate on.
PARTITION BYN/ADivides the result set into partitions, specifically for applying window functions.
RANK()integerAssigns a rank to each row within a partition, with gaps for ties.
ROW_NUMBER()integerAssigns a unique sequential number to each row within a partition.
LEAD(column n)typeof columnReturns the value from the next row in the partition.
LAG(column n)typeof columnReturns the value from the previous row in the partition.
FIRST_VALUE(column n)typeof columnReturns the first value in an ordered set of values.
LAST_VALUE(column n)typeof columnReturns the last value in an ordered set of values.
NTH_VALUE(column n, offset)typeof columnReturns the value at the specified offset in an ordered set of values.

JSON functions and operators

NameReturn typeDescription
json_extract_path_text(text json, text path…)textExtracts a JSON sub-object as text, defined by the path. Its behavior is equivalent to the Postgres function with the same name. For example, json_extract_path_text(col, ‘forest') returns the value of the key forest for each JSON object in col. See the example below for a JSON array syntax.
json_extract_path(text json, text path…)JSONSame functionality as json_extract_path_text, but returns a column of JSON type instead of text type.

Table functions

Join the Preview!

Querying Logs and Metrics through DDSQL is in Preview. Use this form to request access.

Request Access

Table functions are used to query Logs and Metrics

FunctionDescriptionExample
dd.logs(
    filter => varchar,
    columns => array < varchar >,
    indexes ? => array < varchar >,
    from_timestamp ? => timestamp,
    to_timestamp ? => timestamp
) AS (column_name type [, ...])
Returns log data as a table. The columns parameter specifies which log fields to extract, and the AS clause defines the schema of the returned table. Optional: filtering by index or time range. When time is not specified, we default to the past 1 hour of data.
SELECT timestamp, host, service, message
FROM dd.logs(
    filter  => 'source:java',
    columns => ARRAY['timestamp','host', 'service','message']
) AS (
    timestamp TIMESTAMP,
    host      VARCHAR,
    service   VARCHAR,
    message   VARCHAR
)
dd.metric_scalar(
    query varchar,
    reducer varchar [, from_timestamp timestamp, to_timestamp timestamp]
)
Returns metric data as a scalar value. The function accepts a metrics query (with optional grouping), a reducer to determine how values are aggregated (avg, max, etc.), and optional timestamp parameters (default 1 hour) to define the time range.
SELECT *
FROM dd.metric_scalar(
    'avg:system.cpu.user{*} by {service}',
    'avg',
    TIMESTAMP '2025-07-10 00:00:00.000-04:00',
    TIMESTAMP '2025-07-17 00:00:00.000-04:00'
)
ORDER BY value DESC;

Tags

DDSQL exposes tags as an hstore type, which is inspired by PostgreSQL. You can access the values for specific tag keys using the PostgreSQL arrow operator. For example:

SELECT instance_type, count(instance_type)
FROM aws.ec2_instance
WHERE tags->'region' = 'us-east-1' -- region is a tag, not a column
GROUP BY instance_type

Tags are key-value pairs where each key can have zero, one, or multiple tag values corresponding to it. When accessed, the tag value returns a single string, containing all corresponding values. When the data has multiple tag values for the same tag key, they are represented as a sorted, comma-separated string. For example:

SELECT tags->'team', instance_type, architecture, COUNT(*) as instance_count
FROM aws.ec2_instance
WHERE tags->'team' = 'compute_provisioning,database_ops'
GROUP BY tags->'team', instance_type, architecture
ORDER BY instance_count DESC

You can also compare tag values as strings or entire tag sets:

SELECT *
FROM k8s.daemonsets da INNER JOIN k8s.deployments de
ON da.tags = de.tags -- for a specific tag: da.tags->'app' = de.tags->'app'

Further reading

Additional helpful documentation, links, and articles:

Learn more about DDSQL EditorDOCUMENTATION more more