Datadog Queries in Grepr
Grepr provides comprehensive support for Datadog's log query syntax, enabling users to filter and search log data using familiar Datadog patterns. This makes it easy to migrate from or integrate with existing Datadog-based workflows.
For additional reference, see the official Datadog query syntax documentation (opens in a new tab).
Getting Started
Datadog queries in Grepr follow the same syntax patterns as Datadog's log explorer. By default, queries search the message field of log entries, but you can also query specific tags and attributes.
Basic Query Structure
-- Simple text search (searches message field by default)
error
-- Explicit message field search
message:error
-- Tag search
service:web-app
-- Attribute search
@user.id:12345
Case Sensitivity Rules
- Message searches are case-insensitive
- Tag searches are case-sensitive
- Attribute searches are case-sensitive
Message Field Queries
Message field queries perform full-text searches across the message
field of log entries. These searches are case-insensitive and use word boundary matching.
Full-text Search
-- Search for "error" in message field (case-insensitive)
error
-- Explicit message field syntax
message:error
-- Both queries above are equivalent
Phrase Search
Use double quotes to search for exact phrases:
-- Search for exact phrase
message:"connection timeout"
-- Without quotes, this would search for logs containing both "connection" AND "timeout"
message:connection timeout
Examples
-- Find all error messages
error
-- Find specific error types
message:"database connection failed"
-- Find logs mentioning specific components
message:authentication
-- Case-insensitive matching
message:ERROR -- matches "error", "Error", "ERROR", etc.
Wildcard Queries
Wildcard queries allow flexible pattern matching using *
(zero or more characters) and ?
(single character).
Asterisk Wildcard (*
)
-- Contains pattern - matches any characters before/after
*timeout*
-- Prefix pattern - matches anything starting with "auth"
auth*
-- Suffix pattern - matches anything ending with "error"
*error
Question Mark Wildcard (?
)
-- Single character wildcard
f?o -- matches "foo", "fao", "f1o", etc.
-- Multiple single character wildcards
te?t -- matches "test", "text", "tent", etc.
Complex Patterns
-- Mixed wildcards
*f?OO? -- matches "afOOd", "1fOOx", etc.
-- Multiple asterisks
*auth*service* -- matches logs containing "auth" followed by "service"
Escaping Wildcards
You generally cannot search for special characters in the message field. If you need to search for
a literal *
or ?
, you'll need to extract the value into an attribute and then search
within that attribute.
Tag Queries
Tags in Grepr are key-value pairs that provide structured metadata about log entries. Tag searches are case-sensitive.
Tag Value Search
-- Search for specific tag value
service:web-app
-- Search for tag with dotted notation
service.version:1.2.3
-- Search for tag values with spaces (use quotes)
environment:"staging environment"
Tag Key Existence
Check if a tag key exists regardless of its value:
-- Check if 'service' tag exists
tags:service
-- Check if nested tag key exists
tags:service.version
Wildcard Tag Values
-- Tag values starting with "web"
service:web-*
-- Tag values ending with "app"
service:*-app
-- Tag values containing "prod"
environment:*prod*
Wildcard Tag Keys
-- Tag keys starting with "serv"
tags:serv*
-- Tag keys ending with "id"
tags:*id
Examples
-- Find logs from specific service
service:user-authentication
-- Find logs from production environment
environment:production
-- Find logs from any web service
service:web-*
-- Find logs that have a user ID tag
tags:user.id
-- Find logs from services in staging
environment:staging AND service:*
Attribute Queries
Attributes are structured data fields extracted from log messages. Attribute searches are case-sensitive and use the @
prefix.
Basic Attribute Search
-- Search for specific attribute value
@user.id:12345
-- Search for nested attributes
@request.method:GET
-- Search for attributes with special characters
@error.code:"AUTH_001"
Phrase Attributes
-- Search for exact phrase in attribute
@error.message:"database connection failed"
-- Search for attribute containing spaces
@user.name:"John Smith"
Wildcard Attributes
-- Attribute values starting with pattern
@request.path:/api/*
-- Attribute values ending with pattern
@file.name:*.log
-- Attribute values containing pattern
@error.message:*timeout*
Nested Attributes
Attributes can contain complex nested structures:
-- Search in arrays
@tags.environment:production
-- Search in nested objects
@metadata.request.user_id:12345
-- Search for string values
@response.body:"success"
Examples
-- Find logs from specific user
@user.id:user123
-- Find HTTP errors
@response.status_code:500
-- Find slow requests
@request.duration:*slow*
-- Find logs with specific error codes
@error.code:AUTH_*
-- Find logs from specific IP addresses
@client.ip:192.168.*
Boolean Operators
Combine multiple query conditions using boolean operators.
AND Operator
-- Explicit AND
service:web-app AND @user.id:12345
-- Implicit AND (space-separated terms)
service:web-app @user.id:12345
-- Multiple conditions
error AND service:auth AND @response.status:500
OR Operator
-- Search for either condition
service:web-app OR service:api-gateway
-- Multiple OR conditions
@response.status:500 OR @response.status:502 OR @response.status:503
-- Combine with other operators
(service:web OR service:api) AND error
NOT Operator
-- Exclude with minus sign
service:web-app -@user.id:12345
Parentheses Grouping
-- Group OR conditions
(service:web-app OR service:api) AND error
-- Complex grouping
(error OR warning) AND (service:auth OR service:payment)
-- Nested grouping
((service:web OR service:api) AND error) OR @priority:high
Must/Must Not
-- Must have (equivalent to AND)
+service:web-app +@user.id:12345
-- Must not have (equivalent to NOT)
+service:web-app -@user.id:12345
-- Complex requirements
+error +service:auth -@user.type:admin
Special Characters and Escaping
Quote Handling
-- Attributes with special characters
@error.message:"Invalid input: user@domain.com"
-- Tags with special characters
component:"web-app@v1.2.3"
Query Optimization Tips
- Minimize time range: Use the smallest time window necessary for the query.
- Always specify the
service
tag when applicable to reduce the search space, and use thehost
tag where possible. This significantly improves performance and reduces query costs. - Use specific tags/attributes instead of broad message searches when possible
- Combine multiple conditions to narrow results effectively
- Use wildcards judiciously - they can be slower than exact matches
- Use phrase searches for multi-word terms to avoid unnecessary matches. Otherwise a query like
failed login
will match any log containing both "failed" and "login" anywhere in the message, which may produce many irrelevant results and is twice as expensive as"failed login"
.
Limitations and Unsupported Features
While Grepr supports most common Datadog query patterns, some advanced features are not available:
Unsupported Syntax
Fuzzy Search
-- NOT SUPPORTED: Fuzzy matching
foobar~2
-- ALTERNATIVE: Use wildcards
*foobar* OR *fobar*
Regular Expressions
-- NOT SUPPORTED: Regex patterns
/foo|bar/
-- ALTERNATIVE: Use boolean operators
foo OR bar
Range Queries
-- NOT SUPPORTED: Range syntax
@response.time:[100 TO 500]
-- ALTERNATIVE: Use multiple conditions
@response.time:*slow* AND NOT @response.time:*very_slow*
Proximity Searches
-- NOT SUPPORTED: Word proximity
"foo bar"~2
-- ALTERNATIVE: Use phrase search
"foo bar"
Alternative Approaches
For unsupported patterns, consider these alternatives:
- Instead of fuzzy search: Use wildcards with common variations
- Instead of regex: Use boolean operators with multiple terms
- Instead of ranges: Use descriptive attribute values with wildcards
- Instead of proximity: Use phrase searches or multiple terms
Debugging Query Results
- Start simple: Begin with basic queries and add complexity
- Check field names: Verify tag and attribute names exist
- Test case sensitivity: Remember tags/attributes are case-sensitive
- Use parentheses: Group conditions clearly
Contact Support
For additional help with Datadog queries:
- Check the Grepr documentation
- Contact Grepr support at support@grepr.ai
Quick Reference
Syntax Cheat Sheet
Query Type | Syntax | Example |
---|---|---|
Message search | text or message:text | error |
Phrase search | "exact phrase" | "connection timeout" |
Tag search | tag:value | service:web-app |
Tag existence | tags:key | tags:service |
Attribute search | @attr:value | @user.id:123 |
Wildcard | * or ? | service:web-* |
AND | AND or space | error AND service:auth |
OR | OR | error OR warning |
NOT | NOT , - , or ! | NOT @user.type:admin |
Grouping | (condition) | (error OR warning) |
Operator Precedence
- Parentheses:
()
- NOT operators:
NOT
,-
,!
- AND operators:
AND
, implicit space - OR operators:
OR
Use parentheses to explicitly control precedence in complex queries.