16

Question about searching logs in Datadog.

Search works on regular strings in the CONTENT portion of the log. However, if JSON is passed to the CONTENT portion, the JSON elements are automatically parsed into Attributes. But the Attributes are NOT searchable.

How do I search for logs by Attribute?

It seems like a step backwards to supply log data in JSON to improve indexing, but then LOSE the ability to search on those elements.

Pete Lunenfeld
  • 1,557
  • 3
  • 19
  • 32
  • @attr.example_event_payload:(*\"name\"\:\"something\"* AND *\"active\"\:false*) If you have the payload in the logs, i think you can directly do this. – Oguz Nov 30 '22 at 14:49

2 Answers2

13

You need to tell Datadog that you're interested in that content by creating a facet from the field. Click a log message, mouse over the attribute name, click the gear on the left, then Create facet for @...

For logs indexed after you create the facet, you can search with @fieldName:text*, where fieldName is the name of your field. You'll need to re-hydrate (reprocess) earlier logs to make them searchable.

You won't need to create a facet if you use fields from the standard attributes list.

kielni
  • 4,779
  • 24
  • 21
  • I don't know the facets or attributes, how do I search for an invoice id in all logs from the microservices on the service bus, so I can see what happened to the invoice? – Jan Rou Jun 02 '22 at 09:02
  • @JanRou unless you indexed them and created facets, you just can't – Leonardo May 03 '23 at 21:52
5

The error message itself is not a good fit to be defined as a facet.

If you are using JSON and want the main message (say from a msg json field) to be searchable in the Datadog content field. Instead of making facet for msg, you can define a "Message Remapper" in the log configuration to map it to the Content. And then you can do wildcard searches.

log config screenshot

sanjeev
  • 51
  • 1
  • 4