Dd Logs
Search and triage production logs in Datadog with token-efficient `pup` commands, archives awareness, and cost-conscious query patterns.
Overview
dd-logs is an agent skill for the Operate phase that searches, processes, and archives Datadog logs via Pup with cost-aware, context-first command ordering.
Install
npx skills add https://github.com/datadog-labs/agent-skills --skill dd-logsWhat is this skill?
- Token-efficient command order: check context → discovery → confirm with user → target command
- `pup logs search` with status, service, attribute, numeric range, boolean, and wildcard `@message` syntax
- Quick start via `pup auth login` after Pup CLI install (see repo Setup Pup)
- Scoped to Datadog log YAML/globs metadata; version 1.0.1 from datadog-labs/agent-skills
- Cost-aware framing: search, process, and archive logs without speculative failing commands
- Documented 6-row search syntax reference table
- 5-step token-efficient command execution order
Adoption & trust: 855 installs on skills.sh; 127 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You see errors in prod but waste agent tokens and Datadog spend running vague or out-of-order log commands without the right query scope.
Who is it for?
Solo builders already on Datadog who need guided log search, filter composition, and CLI workflows during incidents or cost reviews.
Skip if: Greenfield projects with no Datadog account, or teams that want generic grep-only local debugging without Pup auth.
When should I use this skill?
User needs Datadog log search, archives, metrics context, or cost-aware log operations; globs match `**/datadog*.yaml` and `**/*log*`.
What do I get? / Deliverables
You run confirmed `pup logs search` queries with correct syntax and limits, grounded in prior context instead of speculative failures.
- Executed log search results (table or JSON)
- Interpreted query filters for the incident or audit
Recommended Skills
Journey fit
Log investigation is a core Operate activity once a solo builder ships; Datadog Logs belongs on monitoring because it is the daily lens on live service behavior. Monitoring subphase covers observability queries; this skill encodes search syntax, scoped discovery order, and archive-related operations from the Datadog Labs agent-skills pack.
How it compares
Skill package for Datadog log DSL and Pup workflows—not an MCP server and not a log shipper installer.
Common Questions / FAQ
Who is dd-logs for?
Indie developers and small teams operating Datadog-instrumented services who want the agent to follow Datadog Labs' Pup log patterns.
When should I use dd-logs?
In Operate monitoring when triaging `status:error` logs, filtering `@http.status_code:>=500`, or scoping `service:api AND env:prod` over the last hour—also during Ship when validating a release via log deltas.
Is dd-logs safe to install?
It instructs authenticated Pup commands against your Datadog org; review the Security Audits panel on this page and never paste API keys into chat.
SKILL.md
READMESKILL.md - Dd Logs
# Datadog Logs Search, process, and archive logs with cost awareness. ## Prerequisites Datadog Pup should already be installed. See [Setup Pup](https://github.com/datadog-labs/agent-skills/tree/main?tab=readme-ov-file#setup-pup) if not. ## Command Execution Order (Token-Efficient) For scoped commands, use this order: 1. Check context first (prior outputs, conversation, saved values). 2. If a required value is missing, run a discovery command first. 3. If still ambiguous, ask the user to confirm. 4. Then run the target command. 5. Avoid speculative commands likely to fail. ## Quick Start ```bash pup auth login ``` ## Search Logs ```bash # Basic search pup logs search --query="status:error" --from="1h" # With filters pup logs search --query="service:api status:error" --from="1h" --limit 100 # JSON output pup logs search --query="@http.status_code:>=500" --from="1h" ``` ### Search Syntax | Query | Meaning | |-------|---------| | `error` | Full-text search | | `status:error` | Tag equals | | `@http.status_code:500` | Attribute equals | | `@http.status_code:>=400` | Numeric range | | `service:api AND env:prod` | Boolean | | `@message:*timeout*` | Wildcard | ## Configuration APIs Available log configuration commands in pup 0.42.0: ```bash # List log archives pup logs archives list # List log restriction queries pup logs restriction-queries list # List custom log destinations pup logs custom-destinations list ``` ### Common Processors ```json { "name": "API Logs", "filter": {"query": "service:api"}, "processors": [ { "type": "grok-parser", "name": "Parse nginx", "source": "message", "grok": {"match_rules": "%{IPORHOST:client_ip} %{DATA:method} %{DATA:path} %{NUMBER:status}"} }, { "type": "status-remapper", "name": "Set severity", "sources": ["level", "severity"] }, { "type": "attribute-remapper", "name": "Remap user_id", "sources": ["user_id"], "target": "usr.id" } ] } ``` ## Exclusion Filters (Cost Control) **Index only what matters:** ```json { "name": "Drop debug logs", "filter": {"query": "status:debug"}, "is_enabled": true } ``` ### High-Volume Exclusions ```bash # Find noisiest log sources pup logs search --query="*" --from="1h" | jq 'group_by(.service) | map({service: .[0].service, count: length}) | sort_by(-.count)[:10]' ``` | Exclude | Query | |---------|-------| | Health checks | `@http.url:"/health" OR @http.url:"/ready"` | | Debug logs | `status:debug` | | Static assets | `@http.url:*.css OR @http.url:*.js` | | Heartbeats | `@message:*heartbeat*` | ## Archives Store logs cheaply for compliance: ```bash # List archives pup logs archives list # Archive config (S3 example) { "name": "compliance-archive", "query": "*", "destination": { "type": "s3", "bucket": "my-logs-archive", "path": "/datadog" }, "rehydration_tags": ["team:platform"] } ``` ### Rehydrate (Restore) ```bash # No `pup logs rehydrate` command in pup 0.42.0. # Use Datadog UI/API for rehydration workflows. ``` ## Log-Based Metrics Create metrics from logs (cheaper than indexing): ```bash # List log-based metrics pup logs metrics list # Get one metric by ID pup logs metrics get api.errors.count ``` **Cardinality warning:** Group by bounded values only. ## Sensitive Data ### Scrubbing Rules ```json { "type": "hash-remapper", "name": "Hash emails", "sources": ["email", "@user.email"] } ``` ### Never Log ```python # In your app - sanitize before sending import re def sanitize_log(message: str) -> str: # Remove credit cards message = re.sub(r'\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{