Log Analytics
New announcements from Dash: Incident Management, Continuous Profiler, and more! New announcements from Dash!

Log Analytics


Log analytics extend the log search page with log aggregation and split capabilities for troubleshooting and monitoring. You can access the analytics page from any log explorer view by clicking on the “Analytics” icon next to the search query bar.

You can control:

  • The query that filters the set of logs to analyze
  • The dimensions over which to split data
  • The visualization method for aggregates and splits

From an analytics visualization, you can, additionally:

  • Create a widget in a dashboard out of that visualization
  • Create a monitor out of that query
  • Deep dive into subsets of the log list, depending on the interactions that the visualization enables

Save a log analytics view with the “Save As” button. You can load your teammates’ saved views from the “Saved Views” tab.

Build an analytics query

Use the query to control what’s displayed in your Log Analytics:

  1. Choose a Measure or Facet to graph. Measure lets you choose the aggregation function whereas Facet displays the unique count.

  2. Select the aggregation function for the Measure you want to graph:

  3. Use a Facet to split your graph.

  4. Choose to display either the X top or bottom values according to the selected measure.

  5. Choose the Timesteps graph. Changing the global timeframe changes the list of available Timesteps values.


Select a Log Analytics visualization type using the graph selector:

Available visualizations:

Visualize the evolution of a single measure (or a facet unique count of values) over a selected time frame, and (optionally) split by an available facet.

You have additional display options for timeseries:

  • Whether you display lines, bars, or areas
  • Data stacking option, by value, or by percentage
  • Color set

Noteworthy facts about stacking:

  • Stacking is available only for query requests with a split.
  • Stacking options are for bar and area displays only. Line displays are always overlapping.
  • When you use a toplist option that hides part of your data, stacking does not show the total overall; rather, it shows only the subtotal for the top/bottom series.
  • Stacking may not make sense when you have non-unique values in the split facet.
  • Stacking may not make sense for some aggregration methods for measures.

The following timeseries Log Analytics shows: The evolution of the top 5 URL Paths according to the number of unique Client IPs over the last month.

Visualize the top values from a facet according to the chosen measure:

The following Top List Log Analytics shows: The evolution of the top 5 URL Paths according to the number of unique Client IPs over the last month.

Visualize the top values from a facet according to a chosen measure (the first measure you choose in the list), and display the value of additional measures for elements appearing in this top. Update search query or drill through logs corresponding to either dimension.

  • When there are multiple dimensions, the top values are determined according to the first dimension, then according to the second dimension within the top values of the first dimension, then according to the third dimension within the top values of the second dimension.
  • When there are multiple measures, the top or bottom list is determined according to the first measure.
  • The subtotal may differ from the actual sum of values in a group, since only a subset (top or bottom) is displayed. Events with a null or empty value for this dimension are not displayed as a sub-group.

    Note: A table visualisation used for one single measure and one single dimension is the same as a toplist, just with a different display.

The following Table Log Analytics shows the evolution of the top Status Codes according to their Throughput, along with the number of unique Client IPs, and over the last 15 minutes:

Select or click on a section of the graph to either zoom in the graph or see the list of logs corresponding to your selection:

Share View

Export your current log visualization with the share functionality:

  • Export to Monitor: Export the query applied to your log analytics to create the query for a new log monitor.
  • Export to Dashboard: Export the current analytics as a widget to an existing or new dashboard.
  • Generate a new Metric: Generate a new metric out of the current analytic query.

How aggregations work behind the scenes

Datadog computes an aggregation (whether it is a mean, a sum, a percentile, etc.) by using the set of logs included in the targeted time frame.

Let’s illustrate this on a fictive bar timeline where each bar represents a time interval. In this example, Datadog creates one aggregation for each of the time intervals for the entire set of logs. Note that log events are not necessarily uniformly time-distributed, so you can not necessarily create aggregations for the same amount of logs.

In the following example, each dot represents one log event. The X-axis is the timestamp of the log, and the Y-axis is the value of a duration attribute borne by logs. The timeseries displays a maximum-aggregation. Datadog displays a timeline with a rollout parameter; for example, there are 4 bars for the whole time frame.

Further Reading