A query filter is composed of terms and operators.
There are two types of terms:
A single term is a single word such as
A sequence is a group of words surrounded by double quotes, such as
To combine multiple terms into a complex query, you can use any of the following Boolean operators:
|Intersection: both terms are in the selected events (if nothing is added, AND is taken by default)||authentication AND failure|
|Union: either term is contained in the selected events||authentication OR password|
|Exclusion: the following term is NOT in the event||authentication AND -password|
Use the search bar’s autocomplete feature to complete your query using existing values:
The following characters are considered special:
/ require escaping with the
To search for logs that contain
user=JaneDoe in the message attribute use the following search:
To search on a specific attribute, first add it as a facet and then add
@ to specify you are searching on a facet.
For instance, if your facet name is url and you want to filter on the url value www.datadoghq.com, enter:
Facet searches are case sensitive. Use free text search to get case insensitive results. Another option is to use the
lowercase filter with your Grok parser while parsing to get case insensitive results during search.
Searching on a facet value that contains special characters requires escaping or double quotes. The same logic is applied to spaces within log facet names. Log facets should not contain spaces, but if they do, spaces must be escaped. If a facet is named
user.first name, perform a facet search by escaping the space:
|Searches all logs matching |
|Searches all logs containing a value in |
|Searches all logs containing a |
To perform a multi-character wildcard search, use the
* symbol as follows:
service:web*matches every log message that has a service starting with
web*matches all log messages starting with
*webmatches all log messages that end with
Wildcard searches work within facets with this syntax. This query returns all the services that end with the string
Wildcard searches can also be used to search in the plain text of a log that is not part of a facet. This query returns all the logs that contain the string
However, this search term does not return logs that contain the string
NETWORK if it is in a facet and not part of the log message.
>= to perform a search on numerical attributes. For instance, retrieve all logs that have a response time over 100ms with:
You can search for numerical attribute within a specific range. For instance, retrieve all your 4xx errors with:
@http.status_code:[400 TO 499]
testis searching for the string “test”.
("env:prod" OR test)matches all logs with the tag
#env:prodor the tag
(service:srvA OR service:srvB)or
(service:(srvA OR srvB))matches all logs that contain tags
("env:prod" AND -"version:beta")matches all logs that contain
#env:prodand that do not contain
If your tags don’t follow tags best practices and don’t use the
key:value syntax, use this search query:
You can add facets on arrays of strings or numbers. All values included in the array become listed in the facet and can be used to search the logs.
In the below example, clicking on the
Peter value in the facet returns all the logs that contains a
users.names attribute, whose value is either
Peter or an array that contains
Saved Views contain your search query, columns, time horizon, and facet.
Additional helpful documentation, links, and articles: