All of the search parameters are contained within the URL. You can share your view by sharing the URL.
A query is composed of terms and operators.
There are two types of terms:
A single term is a single word such as
A sequence is a group of words surrounded by double quotes, such as
To combine multiple terms into a complex query, you can use any of the following Boolean operators:
||Intersection: both terms are in the selected events (if nothing is added, AND is taken by default)||authentication AND failure|
||Union: either term is contained in the selected events||authentication OR password|
||Exclusion: the following term is NOT in the event||authentication AND -password|
Use the search bar’s autocomplete feature to complete your query using existing values:
The following characters are considered special:
\ require escaping with the
To search for logs that contain
user=12345 in the message attribute use the following search:
To search on a specific facet, first add it as a facet and then add
@ to specify you are searching on a facet.
For instance, if your facet name is url and you want to filter on the url value www.datadoghq.com, enter:
Note: Searching on a facet value that contains special characters requires escaping or double quotes. The same logic is be applied to spaces within log attributes. Log attributes should not contain spaces, but if they do, spaces must be escaped. If an attribute is called
user.first name, perform a search on this attribute by escaping the space:
||Searches all logs containing
||Searches all logs containing a value in
||Searches all logs containing a
To perform a multi-character wildcard search, use the
* symbol as follows:
service:web*matches every log message that has a service starting with
web*matches all log messages starting with
*webmatches all log messages that end with
>= to perform a search on numerical attributes. For instance, retrieve all logs that have a response time over 100ms with:
You can search for numerical attribute within a specific range. For instance, retrieve all your 4xx errors with:
@http.status_code:[400 TO 499]
testis searching for the string “test”.
("env:prod" OR test)matches all logs with the tag
#env:prodor the tag
(service:srvA OR service:srvB)or
(service:(srvA OR srvB))matches all logs that contain tags
("env:prod" AND -"version:beta")matches all logs that contain
#env:prodand that do not contain
If your tags don’t follow tags best practices and don’t use the
key:value syntax, use this search query:
You can add facets on arrays of strings or numbers. All values included in the array become listed in the facet and can be used to search the logs.
In the below example, clicking on the
Peter value in the facet returns all the logs that contains a
users.names attribute, whose value is either
Peter or an array that contains
Saved Views contain your search query, columns, time horizon, and facet.
Additional helpful documentation, links, and articles: