Queries
Datadog

Datadog Queries in Grepr

Grepr provides comprehensive support for Datadog's log query syntax, enabling users to filter and search log data using familiar Datadog patterns. This makes it easy to migrate from or integrate with existing Datadog-based workflows.

For additional reference, see the official Datadog query syntax documentation (opens in a new tab).

Getting Started

Datadog queries in Grepr follow the same syntax patterns as Datadog's log explorer. By default, queries search the message field of log entries, but you can also query specific tags and attributes.

Basic Query Structure

-- Simple text search (searches message field by default)
error
 
-- Explicit message field search
message:error
 
-- Tag search
service:web-app
 
-- Attribute search
@user.id:12345

Case Sensitivity Rules

  • Message searches are case-insensitive
  • Tag searches are case-sensitive
  • Attribute searches are case-sensitive

Message Field Queries

Message field queries perform full-text searches across the message field of log entries. These searches are case-insensitive and use word boundary matching.

Full-text Search

-- Search for "error" in message field (case-insensitive)
error
 
-- Explicit message field syntax
message:error
 
-- Both queries above are equivalent

Phrase Search

Use double quotes to search for exact phrases:

-- Search for exact phrase
message:"connection timeout"
 
-- Without quotes, this would search for logs containing both "connection" AND "timeout"
message:connection timeout

Examples

-- Find all error messages
error
 
-- Find specific error types
message:"database connection failed"
 
-- Find logs mentioning specific components
message:authentication
 
-- Case-insensitive matching
message:ERROR  -- matches "error", "Error", "ERROR", etc.

Wildcard Queries

Wildcard queries allow flexible pattern matching using * (zero or more characters) and ? (single character).

Asterisk Wildcard (*)

-- Contains pattern - matches any characters before/after
*timeout*
 
-- Prefix pattern - matches anything starting with "auth"
auth*
 
-- Suffix pattern - matches anything ending with "error"
*error

Question Mark Wildcard (?)

-- Single character wildcard
f?o  -- matches "foo", "fao", "f1o", etc.
 
-- Multiple single character wildcards
te?t  -- matches "test", "text", "tent", etc.

Complex Patterns

-- Mixed wildcards
*f?OO?  -- matches "afOOd", "1fOOx", etc.
 
-- Multiple asterisks
*auth*service*  -- matches logs containing "auth" followed by "service"

Escaping Wildcards

You generally cannot search for special characters in the message field. If you need to search for a literal * or ?, you'll need to extract the value into an attribute and then search within that attribute.

Tag Queries

Tags in Grepr are key-value pairs that provide structured metadata about log entries. Tag searches are case-sensitive.

Tag Value Search

-- Search for specific tag value
service:web-app
 
-- Search for tag with dotted notation
service.version:1.2.3
 
-- Search for tag values with spaces (use quotes)
environment:"staging environment"

Tag Key Existence

Check if a tag key exists regardless of its value:

-- Check if 'service' tag exists
tags:service
 
-- Check if nested tag key exists
tags:service.version

Wildcard Tag Values

-- Tag values starting with "web"
service:web-*
 
-- Tag values ending with "app"
service:*-app
 
-- Tag values containing "prod"
environment:*prod*

Wildcard Tag Keys

-- Tag keys starting with "serv"
tags:serv*
 
-- Tag keys ending with "id"
tags:*id

Examples

-- Find logs from specific service
service:user-authentication
 
-- Find logs from production environment
environment:production
 
-- Find logs from any web service
service:web-*
 
-- Find logs that have a user ID tag
tags:user.id
 
-- Find logs from services in staging
environment:staging AND service:*

Attribute Queries

Attributes are structured data fields extracted from log messages. Attribute searches are case-sensitive and use the @ prefix.

Basic Attribute Search

-- Search for specific attribute value
@user.id:12345
 
-- Search for nested attributes
@request.method:GET
 
-- Search for attributes with special characters
@error.code:"AUTH_001"

Phrase Attributes

-- Search for exact phrase in attribute
@error.message:"database connection failed"
 
-- Search for attribute containing spaces
@user.name:"John Smith"

Wildcard Attributes

-- Attribute values starting with pattern
@request.path:/api/*
 
-- Attribute values ending with pattern
@file.name:*.log
 
-- Attribute values containing pattern
@error.message:*timeout*

Nested Attributes

Attributes can contain complex nested structures:

-- Search in arrays
@tags.environment:production
 
-- Search in nested objects
@metadata.request.user_id:12345
 
-- Search for string values
@response.body:"success"

Examples

-- Find logs from specific user
@user.id:user123
 
-- Find HTTP errors
@response.status_code:500
 
-- Find slow requests
@request.duration:*slow*
 
-- Find logs with specific error codes
@error.code:AUTH_*
 
-- Find logs from specific IP addresses
@client.ip:192.168.*

Boolean Operators

Combine multiple query conditions using boolean operators.

AND Operator

-- Explicit AND
service:web-app AND @user.id:12345
 
-- Implicit AND (space-separated terms)
service:web-app @user.id:12345
 
-- Multiple conditions
error AND service:auth AND @response.status:500

OR Operator

-- Search for either condition
service:web-app OR service:api-gateway
 
-- Multiple OR conditions
@response.status:500 OR @response.status:502 OR @response.status:503
 
-- Combine with other operators
(service:web OR service:api) AND error

NOT Operator

-- Exclude with minus sign
service:web-app -@user.id:12345

Parentheses Grouping

-- Group OR conditions
(service:web-app OR service:api) AND error
 
-- Complex grouping
(error OR warning) AND (service:auth OR service:payment)
 
-- Nested grouping
((service:web OR service:api) AND error) OR @priority:high

Must/Must Not

-- Must have (equivalent to AND)
+service:web-app +@user.id:12345
 
-- Must not have (equivalent to NOT)
+service:web-app -@user.id:12345
 
-- Complex requirements
+error +service:auth -@user.type:admin

Special Characters and Escaping

Quote Handling

-- Attributes with special characters
@error.message:"Invalid input: user@domain.com"
 
-- Tags with special characters
component:"web-app@v1.2.3"

Query Optimization Tips

  1. Minimize time range: Use the smallest time window necessary for the query.
  2. Always specify the service tag when applicable to reduce the search space, and use the host tag where possible. This significantly improves performance and reduces query costs.
  3. Use specific tags/attributes instead of broad message searches when possible
  4. Combine multiple conditions to narrow results effectively
  5. Use wildcards judiciously - they can be slower than exact matches
  6. Use phrase searches for multi-word terms to avoid unnecessary matches. Otherwise a query like failed login will match any log containing both "failed" and "login" anywhere in the message, which may produce many irrelevant results and is twice as expensive as "failed login".

Limitations and Unsupported Features

While Grepr supports most common Datadog query patterns, some advanced features are not available:

Unsupported Syntax

Fuzzy Search

-- NOT SUPPORTED: Fuzzy matching
foobar~2
 
-- ALTERNATIVE: Use wildcards
*foobar* OR *fobar*

Regular Expressions

-- NOT SUPPORTED: Regex patterns
/foo|bar/
 
-- ALTERNATIVE: Use boolean operators
foo OR bar

Range Queries

-- NOT SUPPORTED: Range syntax
@response.time:[100 TO 500]
 
-- ALTERNATIVE: Use multiple conditions
@response.time:*slow* AND NOT @response.time:*very_slow*

Proximity Searches

-- NOT SUPPORTED: Word proximity
"foo bar"~2
 
-- ALTERNATIVE: Use phrase search
"foo bar"

Alternative Approaches

For unsupported patterns, consider these alternatives:

  • Instead of fuzzy search: Use wildcards with common variations
  • Instead of regex: Use boolean operators with multiple terms
  • Instead of ranges: Use descriptive attribute values with wildcards
  • Instead of proximity: Use phrase searches or multiple terms

Debugging Query Results

  1. Start simple: Begin with basic queries and add complexity
  2. Check field names: Verify tag and attribute names exist
  3. Test case sensitivity: Remember tags/attributes are case-sensitive
  4. Use parentheses: Group conditions clearly

Contact Support

For additional help with Datadog queries:

Quick Reference

Syntax Cheat Sheet

Query TypeSyntaxExample
Message searchtext or message:texterror
Phrase search"exact phrase""connection timeout"
Tag searchtag:valueservice:web-app
Tag existencetags:keytags:service
Attribute search@attr:value@user.id:123
Wildcard* or ?service:web-*
ANDAND or spaceerror AND service:auth
ORORerror OR warning
NOTNOT, -, or !NOT @user.type:admin
Grouping(condition)(error OR warning)

Operator Precedence

  1. Parentheses: ()
  2. NOT operators: NOT, -, !
  3. AND operators: AND, implicit space
  4. OR operators: OR

Use parentheses to explicitly control precedence in complex queries.