Overview

Each Datadog product offers unique search capabilities optimized for its use case. This page provides a comprehensive index of product-specific search syntax resources to help you find the right documentation for your needs.

Search syntax families

There are two main families of search syntaxes across Datadog products:

Metrics-based syntax: Used by Metrics and Cloud Cost Management for time-series data queries with tag-based filtering and aggregation.

Event-based syntax: Used by Log Management and adopted by most other Datadog products including traces, RUM, CI/CD, and more. This syntax provides flexible faceted search with boolean operators and pattern matching.

Metrics

Metrics use a specialized metrics-based syntax for filtering and aggregating time-series data.

For more information, see Advanced Filtering.

Key capabilities

• Tag-based filtering with boolean logic (AND, OR, NOT) or symbolic operators (&&, ||, !)
• Wildcard matching on metric names and tag values
• Aggregation by multiple tag dimensions
• Template variable filtering for dynamic dashboards
• Metric namespace filtering for organized queries
• Case-sensitive matching for metric names

# Filter metrics by tag
system.cpu.idle{host:prod-*}

# Boolean operators for tag filtering
avg:system.cpu.user{env:staging AND (availability-zone:us-east-1a OR availability-zone:us-east-1c)} by {availability-zone}

# Combine multiple tag filters
system.disk.used{env:production,datacenter:us-east-1}

# Wildcard filtered query
avg:system.disk.in_use{!device:/dev/loop*} by {device}

# Wildcard matching on tags
aws.ec2.cpuutilization{instance-type:t3.*}

# Exclude specific tags
system.mem.used{env:production AND NOT service:test}

Logs

Log Management uses event-based search syntax, serving as the foundation for many other products’ search capabilities.

For a complete reference for log search operators, wildcards, facets, and advanced queries, see Log Search Syntax.

Key capabilities

• Full-text search across log messages with wildcards and phrase matching
• Structured faceted search on attributes (tags, custom fields, standard attributes)
• Pattern detection and extraction using parsing patterns
• Advanced boolean operators (AND, OR, NOT) and grouping
• Range queries for numerical values and timestamps

# Search for error messages containing "timeout"
status:error "timeout"

# Query HTTP errors with status codes 500-599
@http.status_code:[500 TO 599]

# Combine multiple conditions
service:web-api env:(production OR dev) AND @duration:>1000

# Wildcard search for specific services
service:payment-* AND status:error

# Exclude specific values
env:production NOT service:background-worker

Traces

APM and Distributed Tracing use event-based search syntax for querying spans and traces.

To learn more about querying spans and traces with service, resource, and tag filters, see Trace Query Syntax.

Key capabilities

• Query spans by service, operation, and resource name
• Filter by trace-level and span-level tags
• Search across distributed traces spanning multiple services
• Duration-based queries for performance analysis
• Error tracking with status codes and error messages

# Find errors in a specific service
service:payment-api status:error

# Query by resource and HTTP method
resource_name:"/api/v1/checkout" @http.method:POST

# Search for slow traces
service:web-api* @duration:>1s

# Trace queries across service dependencies
@span.parent.service:frontend service:backend

# Filter by custom span tags
service:database @db.statement:"SELECT *" @db.row_count:>1000

Additional product-specific resources

Further reading

Documentation, liens et articles supplémentaires utiles:

Getting Started with SearchDOCUMENTATION