All of the search parameters are contained within the URL. You can share your view by sharing the URL.
A query is composed of terms and operators.
There are two types of terms:
A single term is a single word such as test or hello.
A sequence is a group of words surrounded by double quotes, such as "hello dolly".
To combine multiple terms into a complex query, you can use any of the following Boolean operators:
| Operator | Description | Example |
AND |
Intersection: both terms are in the selected events (if nothing is added, AND is taken by default) | authentication AND failure |
OR |
Union: either term is contained in the selected events | authentication OR password |
- |
Exclusion: the following term is NOT in the event | authentication AND -password |
Use the search bar’s autocomplete feature to complete your query using existing values:
The following characters are considered special: ?, >, <, :, =,", ~, /, and \ require escaping with the \ character.
To search for logs that contain user=12345 in the message attribute use the following search:
user\=JaneDoe
To search on a specific facet, first add it as a facet and then add @ to specify you are searching on a facet.
For instance, if your facet name is url and you want to filter on the url value www.datadoghq.com, enter:
@url:www.datadoghq.com
Note: Searching on a facet value that contains special characters requires escaping or double quotes. The same logic is be applied to spaces within log attributes. Log attributes should not contain spaces, but if they do, spaces must be escaped. If an attribute is called user.first name, perform a search on this attribute by escaping the space: @user.first\ name:myvalue
Examples:
| Search query | Description |
|---|---|
@http.url_details.path:"/api/v1/test" |
Searches all logs containing /api/v1/test in the attribute http.url_details.path. |
@http.url:\/api\/v1\/* |
Searches all logs containing a value in http.url attribute that start with /api/v1/ |
@http.status_code:[200 TO 299] @http.url_details.path:\/api\/v1\/* |
Searches all logs containing a http.status_code value between 200 and 299, and containing a value in http.url_details.path attribute that start with /api/v1/ |
To perform a multi-character wildcard search, use the * symbol as follows:
service:web* matches every log message that has a service starting with web.web* matches all log messages starting with web*web matches all log messages that end with webUse <,>, <=, or >= to perform a search on numerical attributes. For instance, retrieve all logs that have a response time over 100ms with:
@http.response_time:>100
You can search for numerical attribute within a specific range. For instance, retrieve all your 4xx errors with:
@http.status_code:[400 TO 499]
Your logs inherit tags from hosts and integrations that generate them. They can be used in the search and as facets as well:
test is searching for the string “test”.("env:prod" OR test) matches all logs with the tag #env:prod or the tag #test(service:srvA OR service:srvB) or (service:(srvA OR srvB)) matches all logs that contain tags #service:srvA or #service:srvB.("env:prod" AND -"version:beta") matches all logs that contain #env:prod and that do not contain #version:betaIf your tags don’t follow tags best practices and don’t use the key:value syntax, use this search query:
tags:<MY_TAG>You can add facets on arrays of strings or numbers. All values included in the array become listed in the facet and can be used to search the logs.
In the below example, clicking on the Peter value in the facet returns all the logs that contains a users.names attribute, whose value is either Peter or an array that contains Peter:
Saved Views contain your search query, columns, time horizon, and facet.
Additional helpful documentation, links, and articles:
