datadog query event attributes - Brave Search

How to query Datadog to return the values of an attribute instead of the overall count of events

stackoverflow.com › questions › 67201672 › how-to-query-datadog-to-return-the-values-of-an-attribute-instead-of-the-overall

For anyone googling this type of thing later, I found out the answer from Datadog support: it's not possible from the metrics endpoint. The data ingestion app I was creating queries for that consumes the Datadog API only had support for the Metrics (timeseries) endpoint, and the Events endpoint (which is something completely different from these "event" logs).

In order to query these named logs and look at an attribute, there are essentially two options:

1: Use the Logs Analytics Aggregate API Endpoint (https://docs.datadoghq.com/api/latest/logs/), which allows you to query directly into logs and set aggregation type etc. The app I was using did not support this endpoint, but through personal curl requests I was able to verify that the data was accessible through this endpoint. The downside of this endpoint is it has as much lower rate limit than the metric timeseries endpoint (the rate limit is only 300 requests/hour, which we hit fairly fast).

2: Create a new metric representing this attribute in the logs of Datadog. This is the route we took. The downside of this method is that the new metric only begins storing data from the point in time in which it is created, so any historical data you wish to look at will not be available via this new metric.

Answer from orbtl on Stack Overflow

docs.datadoghq.com › api › latest › events

GET https://api.ap1.datadoghq....datadoghq.com/api/v1/events · The event stream can be queried and filtered by time, priority, sources and tags....

docs.datadoghq.com › service_management › events › explorer

Events Explorer

Use the Events Explorer to aggregate and view events coming into Datadog. Group or filter events by attribute and graphically represent them with event analytics. Use the query syntax to filter events using Boolean and wildcard operators.

docs.datadoghq.com › monitors › types › event

To create an event monitor in Datadog, navigate to Monitors > New Monitor > Event. There is a default limit of 1000 Event monitors per account. If you are encountering this limit, consider using multi alerts, or Contact Support. As you define the search query, the top graph updates. Construct a search query using the Event Explorer search syntax. Choose to monitor over an event count, facet, tags, or attributes:

stackoverflow.com › questions › 67201672 › how-to-query-datadog-to-return-the-values-of-an-attribute-instead-of-the-overall

How to query Datadog to return the values of an attribute instead of the overall count of events - Stack Overflow

For anyone googling this type of thing later, I found out the answer from Datadog support: it's not possible from the metrics endpoint. The data ingestion app I was creating queries for that consumes the Datadog API only had support for the Metrics (timeseries) endpoint, and the Events endpoint (which is something completely different from these "event" logs).

In order to query these named logs and look at an attribute, there are essentially two options:

1: Use the Logs Analytics Aggregate API Endpoint (https://docs.datadoghq.com/api/latest/logs/), which allows you to query directly into logs and set aggregation type etc. The app I was using did not support this endpoint, but through personal curl requests I was able to verify that the data was accessible through this endpoint. The downside of this endpoint is it has as much lower rate limit than the metric timeseries endpoint (the rate limit is only 300 requests/hour, which we hit fairly fast).

2: Create a new metric representing this attribute in the logs of Datadog. This is the route we took. The downside of this method is that the new metric only begins storing data from the point in time in which it is created, so any historical data you wish to look at will not be available via this new metric.

docs.datadoghq.com › service_management › events › guides › usage

Generate metrics with 15-month ... search query to create and monitor historical events and alerts. Events ingested with a timestamp within the past 20 minutes are considered for aggregation. For more information, see Event Analytics. Use the Events Explorer to aggregate and view events coming into Datadog. Group or filter events by attribute and graphically ...

docs.datadoghq.com › dashboards › querying

View event correlations by using ... text or structured search query. Events search uses the logs search syntax. The event overlay supports all data sources. This allows for easier correlation between business events and data from any Datadog service....

docs.datadoghq.com › logs › explorer › search_syntax

Log Search Syntax

If your tags don’t follow tags best practices and don’t use the key:value syntax, use this search query: ... In the below example, clicking on the Peter value in the facet returns all the logs that contains a users.names attribute, whose value is either Peter or an array that contains Peter: Note: Search can also be used on non-faceted array attributes using an equivalent syntax. In the following example, CloudWatch logs for Windows contain an array of JSON objects under @Event.EventData.Data.

docs.datadoghq.com › logs › log_configuration › attributes_naming_convention

Attributes and Aliasing

Below is a list of reserved attributes that are automatically ingested with logs. Note: If you’re also collecting traces or metrics, it is recommended to configure unified service tagging. This configuration ties Datadog telemetry together through the use of three standard tags: env, service, and version.

docs.datadoghq.com › service_management › events › explorer › attributes

Reserved Attributes

This list describes automatically ingested reserved attributes with events.

Find elsewhere

Google Bing Mojeek

docs.datadoghq.com › events

Event Management

Update to Datadog monitor events ... The Datadog monitor events aggregation_key is unique to each Monitor ID. Starting March 1st, this key will also include Monitor Group, making it unique per Monitor ID and Monitor Group. If you’re using monitor events aggregation_key in dashboard queries or the Event ...

docs.datadoghq.com › service_management › events › guides › migrating_to_new_events_features

Migrating to the New Events Features

The new query search allows you to use complex queries in event monitors with new capabilities such as Boolean operators or wildcards. Datadog automatically parses JSON-formatted events. When events are not JSON-formatted, they are parsed and enriched by chaining them sequentially through a processing pipeline. Processors extract meaningful information or attributes from semi-structured text to reuse as facets.

datadoghq.com › blog › datadog-events

Troubleshoot faster with improved Datadog Events | Datadog

By using processors, you can enrich your events by adding attributes containing important data—such as team ownership information, links to dashboards, or links to documentation.

stackoverflow.com › questions › 63650568 › how-to-search-datadog-logs-by-attribute

How to search Datadog logs by Attribute - Stack Overflow

You need to tell Datadog that you're interested in that content by creating a facet from the field. Click a log message, mouse over the attribute name, click the gear on the left, then Create facet for @...

For logs indexed after you create the facet, you can search with @fieldName:text*, where fieldName is the name of your field. You'll need to re-hydrate (reprocess) earlier logs to make them searchable.

You won't need to create a facet if you use fields from the standard attributes list.

The error message itself is not a good fit to be defined as a facet.

If you are using JSON and want the main message (say from a msg json field) to be searchable in the Datadog content field. Instead of making facet for msg, you can define a "Message Remapper" in the log configuration to map it to the Content. And then you can do wildcard searches.

log config screenshot

stackoverflow.com › questions › 77346948 › optional-attributes-datadog-monitor

Optional attributes - DataDog monitor - Stack Overflow

To be able to use the log attributes in the notification message, you need to include them in the monitor's query. To make the attributes optional, I used a redundant bi-condition, i.e.

docs.datadoghq.com › standard-attributes

Default Standard Attributes

The following table lists the attributes automatically applied to data sent to Datadog by the Agent by each of the RUM, Logs, and APM products, as applicable to the data domain.

docs.datadoghq.com › tracing › trace_explorer › query_syntax

To view these metrics aggregated over the parent or root span instead of the queried span, select parent(a) or root in the Show metrics from statement. Additionally, the Latency Breakdown surfaces how time is spent between different services within requests from each group, allowing you to visually spot latency bottlenecks for given groups. For deeper analysis, click any group to examine the individual span events that make up the aggregated metrics. A Facet displays all the distinct values of an attribute or a tag as well as provides some basic analytics such as the amount of traces represented.

docs.datadoghq.com › service_management › events › explorer › navigate

Navigate the Explorer - Event Management

The attributes tab of the side panel lists event attributes as JSON. Click an attribute to add it to or exclude it from the existing query, or to add a column for this attribute.

docs.datadoghq.com › real_user_monitoring › explorer › search

Search RUM Events

The value of this attribute is stored across all new RUM events. You can access these attributes in the search bar, the Facets panel, and your visualizations. Every measure has a unit that is displayed in a column of the RUM Explorer and in your visualizations. To search for a specific attribute, add it as a facet and enter @ in your search query. This specifies that you are searching for a facet. For example, if your facet name is url and you want to filter on the url value www.datadoghq...

docs.datadoghq.com › real_user_monitoring › explorer › search_syntax

Learn RUM Explorer search syntax including terms, operators, and Boolean logic to create complex queries for event filtering.

docs.datadoghq.com › dashboards › widgets › query_value

Query Value Widget

Aggregation methods for event platform queries. Allowed enum values: count,cardinality,median,pc75,pc90,pc95,pc98,pc99,sum,min,max,avg ... A time interval in milliseconds. ... Measurable attribute to compute.