Datadog Logs API
The Logs API allows you to search and send log events to the Datadog platform over HTTP. It supports querying and aggregating log data from the Log Management product.
OpenAPI Specification
openapi: 3.1.0
info:
title: Datadog Logs API
description: >-
The Datadog Logs API allows you to search and send log events to the
Datadog platform over HTTP. It supports querying and aggregating log
data from the Log Management product. Logs can be searched using
Datadog's log query language, and results can be aggregated using
facets and measures. The API also supports managing log indexes, which
control how long logs are retained and queried.
version: 'v2'
contact:
name: Datadog Support
url: https://www.datadoghq.com/support/
termsOfService: https://www.datadoghq.com/legal/terms/
externalDocs:
description: Datadog Logs API Documentation
url: https://docs.datadoghq.com/api/latest/logs/
servers:
- url: https://api.datadoghq.com
description: Datadog API Production Server
tags:
- name: Log Aggregation
description: Aggregate and analyze log data
- name: Log Indexes
description: Manage log indexes and retention policies
- name: Logs
description: Send and search log events
security:
- apiKeyAuth: []
paths:
/api/v2/logs:
post:
operationId: submitLogs
summary: Datadog Send Logs
description: >-
Sends log entries to the Datadog platform for indexing, storage, and
analysis. Accepts log payloads in JSON format. Each log entry can
include a message, hostname, service name, source, tags, and
additional custom attributes. Supports batching multiple log entries
in a single request. The maximum payload size is 5 MB for the HTTP
intake endpoint. Logs must contain a message field.
tags:
- Logs
parameters:
- name: Content-Encoding
in: header
required: false
description: HTTP header used to compress the media-type. Use gzip or deflate encoding
schema:
type: string
enum: [gzip, deflate]
example: gzip
requestBody:
required: true
content:
application/json:
schema:
type: array
description: Array of log entries to submit
items:
$ref: '#/components/schemas/HTTPLogItem'
responses:
'202':
description: Request accepted - logs queued for processing
content:
application/json:
schema:
$ref: '#/components/schemas/HTTPLogSuccess'
'400':
description: Bad request - invalid log format or missing required fields
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'401':
description: Unauthorized - missing or invalid API key
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'403':
description: Forbidden - insufficient permissions for this operation
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'408':
description: Request timeout - the server did not receive a complete request in time
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'413':
description: Payload too large - exceeds 5 MB uncompressed size limit
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v2/logs/events/search:
post:
operationId: searchLogs
summary: Datadog Search Logs
description: >-
Searches log events that match a Datadog log search query within a
specified time range. Supports full-text search and structured queries
using Datadog's log query language. Results are paginated and can be
sorted by timestamp. Queries can filter by log attributes, facets,
tags, service, source, hostname, and status. Returns up to 1000 logs
per page.
tags:
- Logs
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/LogsListRequest'
responses:
'200':
description: Successful response with matching log events
content:
application/json:
schema:
$ref: '#/components/schemas/LogsListResponse'
'400':
description: Bad request - invalid query syntax or parameters
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'401':
description: Unauthorized - missing or invalid API key
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'403':
description: Forbidden - insufficient permissions for this operation
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v2/logs/analytics/aggregate:
post:
operationId: aggregateLogs
summary: Datadog Aggregate Logs
description: >-
Computes aggregations over log events matching a search query within
a specified time range. Supports count, sum, avg, min, max, and
percentile aggregations grouped by one or more facets. Results can
be used for building analytics charts, dashboards, and reports.
Useful for answering questions like "how many errors per service
per hour?" or "what is the p99 latency by endpoint?".
tags:
- Log Aggregation
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/LogsAggregateRequest'
responses:
'200':
description: Successful response with aggregated log analytics
content:
application/json:
schema:
$ref: '#/components/schemas/LogsAggregateResponse'
'400':
description: Bad request - invalid aggregation query or parameters
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'401':
description: Unauthorized - missing or invalid API key
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'403':
description: Forbidden - insufficient permissions for this operation
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v1/logs/config/indexes:
get:
operationId: listLogIndexes
summary: Datadog List Log Indexes
description: >-
Returns the list of configured log indexes for your Datadog organization.
Each index defines a filter for which logs to include, a daily retention
policy, and log volume limits. Indexes are evaluated in order, and each
log can match at most one index. Index configurations affect log
retention, querying capabilities, and cost.
tags:
- Log Indexes
responses:
'200':
description: Successful response with list of log indexes
content:
application/json:
schema:
$ref: '#/components/schemas/LogsIndexesResponse'
'401':
description: Unauthorized - missing or invalid API key
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'403':
description: Forbidden - insufficient permissions for this operation
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v1/logs/config/indexes/{name}:
get:
operationId: getLogIndex
summary: Datadog Get a Log Index
description: >-
Returns the configuration details for a specific log index identified
by its name. Includes the filter query, exclusion filters, daily
retention settings, and current usage statistics.
tags:
- Log Indexes
parameters:
- $ref: '#/components/parameters/indexNameParam'
responses:
'200':
description: Successful response with log index configuration
content:
application/json:
schema:
$ref: '#/components/schemas/LogsIndex'
'401':
description: Unauthorized - missing or invalid API key
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'403':
description: Forbidden - insufficient permissions for this operation
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
'404':
description: Not found - log index with the specified name does not exist
content:
application/json:
schema:
$ref: '#/components/schemas/APIErrorResponse'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
components:
securitySchemes:
apiKeyAuth:
type: apiKey
in: header
name: DD-API-KEY
description: >-
Datadog API key for authenticating requests. Obtain from the Datadog
organization settings under API Keys.
parameters:
indexNameParam:
name: name
in: path
required: true
description: The name of the log index to retrieve
schema:
type: string
schemas:
HTTPLogItem:
type: object
description: A single log entry to submit to Datadog
required:
- message
properties:
message:
type: string
description: The message content of the log entry. This field is required and indexed for search.
example: CPU usage is high on {{host.name}}
hostname:
type: string
description: The name of the host that generated the log entry
example: Example Monitor
service:
type: string
description: The name of the application or service that generated the log
example: example_value
ddsource:
type: string
description: The source technology of the log (e.g., nginx, redis, java) used for automatic processing
example: example_value
ddtags:
type: string
description: Comma-separated list of tags to apply to the log entry in key:value format
example: env:production
status:
type: string
description: The severity or log level of the event (e.g., info, warning, error, critical)
enum: [emerg, alert, critical, error, warning, notice, info, debug]
example: emerg
HTTPLogSuccess:
type: object
description: Response indicating logs were accepted for processing
properties: {}
LogsListRequest:
type: object
description: Request body for searching log events
properties:
filter:
$ref: '#/components/schemas/LogsQueryFilter'
sort:
type: string
description: The sort order for log results, either ascending or descending by timestamp
enum: [timestamp, -timestamp]
example: timestamp
page:
type: object
description: Pagination configuration for log search results
properties:
cursor:
type: string
description: A cursor token from a previous response to retrieve the next page of results
limit:
type: integer
description: The maximum number of logs to return per page (default 10, max 1000)
minimum: 1
maximum: 1000
default: 10
LogsQueryFilter:
type: object
description: Filter criteria for log search queries
properties:
query:
type: string
description: A Datadog log search query string to filter log events (e.g., service:web status:error)
example: avg:system.cpu.user{*}
indexes:
type: array
description: List of log index names to search; if empty, all indexes are searched
items:
type: string
from:
type: string
description: The start of the time range for the search in ISO 8601 format or relative format (e.g., now-15m)
example: example_value
to:
type: string
description: The end of the time range for the search in ISO 8601 format or relative format (e.g., now)
example: example_value
LogsListResponse:
type: object
description: Response containing matching log events from a search query
properties:
data:
type: array
description: List of matching log events
items:
$ref: '#/components/schemas/Log'
meta:
type: object
description: Metadata about the search response including pagination information
properties:
page:
type: object
description: Pagination details for continuing the search
properties:
after:
type: string
description: Cursor token to retrieve the next page of results
elapsed:
type: integer
description: Time in milliseconds taken to execute the search query
status:
type: string
description: Status of the search request (done, timeout)
enum: [done, timeout]
Log:
type: object
description: A single log event returned from a search query
properties:
id:
type: string
description: The unique identifier of the log event
example: abc-123-def
type:
type: string
description: The type of the resource (always 'log')
example: metric alert
attributes:
$ref: '#/components/schemas/LogAttributes'
LogAttributes:
type: object
description: The attributes of a log event returned from the search API
properties:
timestamp:
type: string
format: date-time
description: ISO 8601 timestamp when the log was generated
example: '2026-04-17T12:00:00Z'
status:
type: string
description: The log level or severity status of the event
example: OK
message:
type: string
description: The raw log message content
example: CPU usage is high on {{host.name}}
host:
type: string
description: The hostname of the machine that generated the log
example: example_value
service:
type: string
description: The name of the application or service that generated the log
example: example_value
source:
type: string
description: The technology source that generated the log (e.g., nginx, java)
example: example_value
tags:
type: array
description: List of tags associated with the log event in key:value format
items:
type: string
attributes:
type: object
description: Custom key-value attributes extracted from the log message
additionalProperties: true
LogsAggregateRequest:
type: object
description: Request body for aggregating log events
properties:
filter:
$ref: '#/components/schemas/LogsQueryFilter'
compute:
type: array
description: List of aggregation computations to perform on the filtered log set
items:
$ref: '#/components/schemas/LogsCompute'
group_by:
type: array
description: List of facets to group results by, enabling breakdown by log attribute
items:
$ref: '#/components/schemas/LogsGroupBy'
options:
type: object
description: Options for the aggregation query
properties:
timezone:
type: string
description: The timezone to use for time-based group-by operations (IANA timezone name)
LogsCompute:
type: object
description: A computation to perform over the filtered log set
required:
- aggregation
- type
properties:
aggregation:
type: string
description: The type of aggregation to compute over log events
enum: [count, cardinality, pc75, pc90, pc95, pc98, pc99, sum, avg, min, max]
example: count
metric:
type: string
description: The log attribute to aggregate (required for all aggregations except count)
example: example_value
type:
type: string
description: Whether this is a total aggregation or a timeseries
enum: [total, timeseries]
example: total
interval:
type: string
description: The time interval for timeseries computations (e.g., 1m, 1h, 1d)
example: example_value
LogsGroupBy:
type: object
description: A group-by configuration for aggregating log results by facet values
required:
- facet
properties:
facet:
type: string
description: The log attribute or tag to group results by
example: example_value
limit:
type: integer
description: The maximum number of unique facet values to return in results
default: 10
example: 42
sort:
type: object
description: Sort configuration for group-by results
properties:
aggregation:
type: string
description: The aggregation metric to sort by
enum: [count, cardinality, pc75, pc90, pc95, pc98, pc99, sum, avg, min, max]
order:
type: string
description: The sort direction for group-by results
enum: [asc, desc]
LogsAggregateResponse:
type: object
description: Response containing aggregated log analytics results
properties:
data:
type: object
description: The aggregation response data
properties:
attributes:
type: object
description: The aggregation result attributes
properties:
buckets:
type: array
description: List of aggregation buckets, each representing a group-by combination
items:
$ref: '#/components/schemas/LogsAggregateBucket'
LogsAggregateBucket:
type: object
description: A single aggregation bucket representing one group-by combination
properties:
by:
type: object
description: The facet values that define this bucket
additionalProperties:
type: string
computes:
type: object
description: The computed aggregation values for this bucket, keyed by computation index
additionalProperties: true
LogsIndex:
type: object
description: Configuration for a single Datadog log index
required:
- name
- filter
properties:
name:
type: string
description: The name of the log index
example: Example Monitor
filter:
$ref: '#/components/schemas/LogsFilter'
exclusion_filters:
type: array
description: List of exclusion filters that drop matching logs before indexing
items:
$ref: '#/components/schemas/LogsExclusion'
num_retention_days:
type: integer
description: The number of days to retain logs in this index
example: 42
daily_limit:
type: integer
format: int64
description: The maximum number of logs per day before the index is disabled
example: 42
is_rate_limited:
type: boolean
description: Whether the index has exceeded its daily limit and is currently rate limited
example: true
LogsFilter:
type: object
description: A filter query that determines which logs are matched by an index or exclusion
required:
- query
properties:
query:
type: string
description: A Datadog log search query that selects which logs match this filter
example: avg:system.cpu.user{*}
LogsExclusion:
type: object
description: An exclusion filter that drops matching logs from an index
required:
- name
- filter
properties:
name:
type: string
description: The name of the exclusion filter for identification
example: Example Monitor
is_enabled:
type: boolean
description: Whether this exclusion filter is currently active
example: true
filter:
type: object
description: The exclusion filter configuration
properties:
query:
type: string
description: Log search query for logs to exclude from the index
sample_rate:
type: number
format: double
minimum: 0
maximum: 1
description: The percentage (0 to 1) of logs matching the filter to exclude
LogsIndexesResponse:
type: object
description: Response containing the list of configured log indexes
properties:
indexes:
type: array
description: List of log index configurations for the organization
items:
$ref: '#/components/schemas/LogsIndex'
APIErrorResponse:
type: object
description: Standard API error response returned for failed requests
required:
- errors
properties:
errors:
type: array
description: List of error messages describing the failure
items:
type: string