From 66aa054a1b6e4f567bed7c5bf94f8087c3b91534 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 28 Mar 2025 17:55:45 -0400 Subject: [PATCH 01/10] Add new getting started for search docs --- config/_default/menus/main.en.yaml | 4 +- content/en/getting_started/search/_index.md | 99 +++++++ .../search/advanced_techniques.md | 214 +++++++++++++++ .../getting_started/search/core_concepts.md | 178 +++++++++++++ .../search/feature_specific.md | 244 ++++++++++++++++++ 5 files changed, 737 insertions(+), 2 deletions(-) create mode 100644 content/en/getting_started/search/_index.md create mode 100644 content/en/getting_started/search/advanced_techniques.md create mode 100644 content/en/getting_started/search/core_concepts.md create mode 100644 content/en/getting_started/search/feature_specific.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index b67963e773322..59d76e7032a44 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -259,12 +259,12 @@ menu: identifier: unified_service_tagging url: getting_started/tagging/unified_service_tagging parent: tagging_ - weight: 2702 + weight: 2602 - name: Using Tags identifier: using_tags url: getting_started/tagging/using_tags parent: tagging_ - weight: 2803 + weight: 2603 - name: Workflow Automation identifier: getting_started_workflow_automation url: getting_started/workflow_automation/ diff --git a/content/en/getting_started/search/_index.md b/content/en/getting_started/search/_index.md new file mode 100644 index 0000000000000..4aa2cbde56743 --- /dev/null +++ b/content/en/getting_started/search/_index.md @@ -0,0 +1,99 @@ +--- +title: Getting Started with Search in Datadog +description: Learn the fundamentals of searching and filtering across Datadog products +further_reading: + - link: "/getting_started/search/core_concepts" + tag: "Documentation" + text: "Core Search Concepts" + - link: "/getting_started/search/advanced_techniques" + tag: "Documentation" + text: "Advanced Search Techniques" + - link: "/getting_started/search/feature_specific" + tag: "Documentation" + text: "Feature-Specific Search Guide" +--- + +## Overview + +Datadog provides powerful search capabilities across its products and features. This guide introduces you to the fundamental concepts of searching in Datadog and helps you navigate to more detailed, feature-specific documentation. + +## Common Search Patterns + +Across Datadog, you'll encounter these common search patterns: + +1. **Simple text search**: Find items containing specific text +2. **Tag-based filtering**: Filter by metadata using key:value pairs +3. **Resource filtering**: Target specific resources or metrics +4. **Boolean logic**: Combine multiple conditions +5. **Wildcard matching**: Use pattern matching for flexible searches + +## Core Search Components + +### Boolean Operators + +Use these operators to combine or exclude search terms: + +| Operator | Description | Example | +|----------|-------------|---------| +| `AND` | Both conditions must be true | `service:web AND env:prod` | +| `OR` | Either condition can be true | `status:error OR status:warning` | +| `NOT` | Exclude matches | `service:web NOT env:dev` | + +### Tag-Based Filtering + +Tags are key:value pairs that help you filter and group data: + +```text +service:payment-api +env:production +team:backend +``` + +### Wildcard Filtering + +Use wildcards for flexible matching: + +* `*` matches multiple characters: `service:web-*` +* `?` matches a single character: `host:web-server-?` + +## Feature-Specific Search + +Different Datadog features offer specialized search capabilities: + +{{< tabs >}} +{{% tab "Logs" %}} +* Full-text search +* Structured data queries +* Pattern detection +[Learn more about Log Search →](/logs/explorer/search) +{{% /tab %}} +{{% tab "APM" %}} +* Trace filtering +* Span queries +* Service maps +[Learn more about APM Search →](/tracing/trace_explorer/search) +{{% /tab %}} +{{% tab "Metrics" %}} +* Metric queries +* Tag-based filtering +* Advanced aggregations +[Learn more about Metrics Filtering →](/metrics/advanced-filtering) +{{% /tab %}} +{{< /tabs >}} + +## Getting Started + +1. **Start Simple**: Begin with basic text searches and single tag filters +2. **Add Tags**: Use tags to filter your results more precisely +3. **Combine Filters**: Use boolean operators to create more specific searches +4. **Explore Features**: Learn about feature-specific search capabilities + +## Next Steps + +* Learn more about [Core Search Concepts](/getting_started/search/core_concepts) +* Explore [Advanced Search Techniques](/getting_started/search/advanced_techniques) +* Dive into [Feature-Specific Search](/getting_started/search/feature_specific) + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/advanced_techniques.md b/content/en/getting_started/search/advanced_techniques.md new file mode 100644 index 0000000000000..91dd9d3a8df25 --- /dev/null +++ b/content/en/getting_started/search/advanced_techniques.md @@ -0,0 +1,214 @@ +--- +title: Advanced Search Techniques +description: Learn advanced techniques for searching and filtering in Datadog +further_reading: + - link: "/getting_started/search/core_concepts" + tag: "Documentation" + text: "Core Search Concepts" + - link: "/getting_started/search/feature_specific" + tag: "Documentation" + text: "Feature-Specific Search Guide" +--- + +## Overview + +This guide covers advanced search techniques in Datadog, building on the fundamentals covered in [Core Search Concepts](/getting_started/search/core_concepts). + +## Complex Query Patterns + +### Nested Boolean Logic + +Combine multiple conditions with parentheses for complex filtering: +```text +(service:api AND (@http.status_code:>=500 OR @error.type:timeout)) +AND env:production +NOT team:deprecated +``` + +### Range Queries + +Use ranges for numeric and time-based searches: +```text +# Numeric ranges +@duration:[100 TO 1000] +@http.status_code:[400 TO 499] + +# Time ranges +@timestamp:[2023-01-01 TO 2023-01-31] +@last_modified:[now-1h TO now] +``` + +## Advanced Filtering Techniques + +### Faceted Search + +Use facets to filter on specific attributes: +```text +# Filter by multiple facet values +@facet_name:(value1 OR value2) + +# Exclude facet values +@facet_name NOT (value1 OR value2) +``` + +### Pattern Matching + +Advanced wildcard and pattern usage: +```text +# Multiple wildcards +service:*-api-* + +# Prefix matching +@error.stack:Exception* + +# Suffix matching +@http.url:*.pdf +``` + +## Resource-Based Filtering + +### Service Topology + +Filter based on service relationships: +```text +# Find traces where service A calls service B +service:service-a AND @span.child_of.service:service-b + +# Find all downstream services +@span.child_of.service:parent-service +``` + +### Infrastructure Filtering + +Target specific infrastructure components: +```text +# Container-based filtering +container_name:web-* AND @docker.image:nginx + +# Kubernetes filtering +kube_namespace:production AND kube_deployment:frontend +``` + +## Advanced Tag Usage + +### Tag Aggregation + +Combine multiple tag conditions: +```text +# Match all tags +service:api AND env:prod AND team:backend + +# Match any tag +service:(api OR web) AND env:(staging OR prod) +``` + +### Tag Hierarchies + +Use tag hierarchies for precise filtering: +```text +# Environment hierarchy +env:prod.us-east.web + +# Application hierarchy +app:ecommerce.payment.processor +``` + +## Metric Query Patterns + +### Rate and Aggregation + +Filter based on metric behavior: +```text +# High rate of change +rate(@metric_name):>100 + +# Aggregation thresholds +avg(@metric_name):>1000 +``` + +### Correlation + +Find related metrics: +```text +# Correlated metrics +@metric_name1:>100 AND @metric_name2:<50 + +# Service correlation +service:api AND @error_rate:>0.1 +``` + +## Log Query Patterns + +### Full-Text Search + +Advanced text matching: +```text +# Proximity search +"error database"~5 + +# Fuzzy matching +"authentication"~ +``` + +### Log Attributes + +Complex attribute filtering: +```text +# Multiple attribute conditions +@http.method:POST AND @http.url:*/api/v1/* AND @duration:>1000 + +# Nested attribute matching +@user.data.preferences.theme:dark +``` + +## APM Query Patterns + +### Trace Filtering + +Advanced trace search: +```text +# Error patterns +@error.type:TimeoutError AND @http.url:*/api/* + +# Performance patterns +@duration:>100ms AND @span.kind:server +``` + +### Service Graphs + +Filter service relationships: +```text +# Direct dependencies +@span.parent.service:frontend AND service:backend + +# Service chains +service:gateway AND @span.child_of.service:auth +``` + +## Best Practices + +### Query Optimization + +1. **Use Specific Fields** + - Prefer attribute searches over full-text + - Use faceted fields when available + +2. **Optimize Performance** + - Place specific filters first + - Avoid leading wildcards + - Use time ranges effectively + +3. **Structure Queries** + - Group related conditions + - Use consistent patterns + - Document complex queries + +## Next Steps + +* Explore [Feature-Specific Search](/getting_started/search/feature_specific) +* Learn about [Log Management](/logs/explorer/search) +* Understand [APM & Continuous Profiling](/tracing/trace_explorer/search) + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/core_concepts.md b/content/en/getting_started/search/core_concepts.md new file mode 100644 index 0000000000000..7103b0d0a74d2 --- /dev/null +++ b/content/en/getting_started/search/core_concepts.md @@ -0,0 +1,178 @@ +--- +title: Core Search Concepts +description: Learn the fundamental concepts of searching and filtering in Datadog +further_reading: + - link: "/getting_started/search/advanced_techniques" + tag: "Documentation" + text: "Advanced Search Techniques" + - link: "/getting_started/tagging/using_tags" + tag: "Documentation" + text: "Using Tags in Datadog" +--- + +## Overview + +This guide explains the core concepts of searching in Datadog, including basic syntax, operators, and filtering techniques that are common across all Datadog products. + +## Basic Search Syntax + +### Text Search + +The simplest form of search is plain text: +```text +error +timeout +"database connection" +``` + +* Single words match anywhere in searchable fields +* Use quotes for exact phrase matching +* Searches are case-insensitive by default + +### Attribute Search + +Search specific fields using the `@` prefix: +```text +@http.status_code:500 +@duration:>100 +@service:payment-api +``` + +## Boolean Logic + +### Basic Operators + +| Operator | Usage | Example | +|----------|-------|---------| +| `AND` | Both conditions must be true | `error AND timeout` | +| `OR` | Either condition can be true | `error OR warning` | +| `NOT` | Exclude matches | `error NOT timeout` | + +### Operator Precedence + +1. `NOT` +2. `AND` +3. `OR` + +Use parentheses to control precedence: +```text +(error OR warning) AND service:api +``` + +## Tag Filtering + +### Tag Structure + +Tags follow a `key:value` format: +```text +env:production +service:web +team:backend +``` + +### Multiple Values + +Filter for multiple values using parentheses: +```text +service:(web-server OR api-server) +env:(staging OR production) +``` + +### Exclusion + +Exclude specific tags using `NOT`: +```text +service:web NOT env:dev +``` + +## Wildcard Patterns + +### Available Wildcards + +* `*` - Match zero or more characters +* `?` - Match exactly one character + +### Common Uses + +```text +# Match all production services +service:prod-* + +# Match specific version numbers +version:2.? + +# Match multiple subdomains +host:*.example.com +``` + +### Best Practices + +* Place wildcards at the end of terms when possible +* Avoid leading wildcards when you can be more specific +* Use specific prefixes to improve search performance + +## Numeric Comparisons + +### Available Operators + +* `>` Greater than +* `>=` Greater than or equal +* `<` Less than +* `<=` Less than or equal + +### Examples + +```text +@duration:>100 +@http.status_code:>=500 +@retry_count:<3 +``` + +## Time-Based Search + +### Time Operators + +* `>` After +* `>=` At or after +* `<` Before +* `<=` At or before + +### Examples + +```text +@timestamp:>2023-01-01 +@last_seen:<1h +``` + +## Common Patterns + +### Combining Multiple Conditions + +```text +# Find production errors +service:payment AND status:error AND env:production + +# Find specific HTTP status codes +@http.method:POST AND @http.status_code:[500 TO 599] +``` + +### Resource Filtering + +```text +# Filter by specific resources +resource_name:"/api/v1/users" +container_name:web-* + +# Combine with status +resource_name:"/api/v1/users" AND @http.status_code:429 +``` + +## Next Steps + +* Explore [Advanced Search Techniques](/getting_started/search/advanced_techniques) +* Learn about [Feature-Specific Search](/getting_started/search/feature_specific) +* Understand [Tag Best Practices](/getting_started/tagging/using_tags) + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/feature_specific.md b/content/en/getting_started/search/feature_specific.md new file mode 100644 index 0000000000000..47c61c8dd16fd --- /dev/null +++ b/content/en/getting_started/search/feature_specific.md @@ -0,0 +1,244 @@ +--- +title: Feature-Specific Search Guide +description: Learn about search capabilities across different Datadog products +further_reading: + - link: "/getting_started/search/core_concepts" + tag: "Documentation" + text: "Core Search Concepts" + - link: "/getting_started/search/advanced_techniques" + tag: "Documentation" + text: "Advanced Search Techniques" +--- + +## Overview + +While Datadog maintains consistent search patterns across its platform, each product has unique search capabilities tailored to its specific use case. This guide helps you navigate these feature-specific search capabilities. + +{{% collapse-content title="Logs Management" level="h4" %}} + +[Detailed Log Search Documentation →](/logs/explorer/search) + +### Key Capabilities +* Full-text search across log messages +* Structured data queries +* Pattern detection +* Advanced facet filtering + +### Unique Syntax +```text +# Message content search +message:"connection timeout" + +# Attribute search +@http.status_code:[500 TO 599] + +# Pattern search +@message:%{date} ERROR %{word:component} failed +``` +{{% /collapse-content %}} + +{{% collapse-content title="APM & Continuous Profiling" level="h4" %}} + +[Detailed APM Search Documentation →](/tracing/trace_explorer/search) + +### Key Capabilities +* Trace filtering +* Span queries +* Service topology search +* Resource filtering + +### Unique Syntax +```text +# Trace queries +service:payment-api AND @http.status_code:500 + +# Service topology +@span.parent.service:frontend AND service:backend + +# Resource patterns +resource_name:"/api/v1/*" AND @http.method:POST +``` +{{% /collapse-content %}} + +{{% collapse-content title="Infrastructure Monitoring" level="h4" %}} + +[Detailed Infrastructure Search Documentation →](/infrastructure/search) + +### Key Capabilities +* Host filtering +* Container search +* Cloud provider resource filtering +* Integration-specific search + +### Unique Syntax +```text +# Host queries +host:prod-* AND platform:linux + +# Container filtering +container_name:web-* AND docker.image:nginx + +# Cloud resources +cloud.provider:aws AND cloud.instance.type:t2.micro +``` +{{% /collapse-content %}} + +{{% collapse-content title="Metrics" level="h4" %}} + +[Detailed Metrics Filtering Documentation →](/metrics/advanced-filtering) + +### Key Capabilities +* Metric name filtering +* Tag-based aggregation +* Rate and threshold queries +* Correlation searches + +### Unique Syntax +```text +# Metric filtering +metric.name:system.cpu.idle AND host:prod-* + +# Tag aggregation +avg:system.cpu.user{service:web} by {host} + +# Rate queries +rate(metric.name):>100 +``` +{{% /collapse-content %}} + +{{% collapse-content title="Security Monitoring" level="h4" %}} + +[Detailed Security Search Documentation →](/security_monitoring/search) + +### Key Capabilities +* Security signal search +* Threat detection queries +* Compliance filtering +* CSPM rules search + +### Unique Syntax +```text +# Security signals +security:attack AND severity:high + +# Compliance status +compliance.status:failed AND framework:pci + +# Threat detection +threat.source:ip AND threat.level:critical +``` +{{% /collapse-content %}} + +{{% collapse-content title="Synthetic Monitoring" level="h4" %}} + +[Detailed Synthetics Search Documentation →](/synthetics/search) + +### Key Capabilities +* Test result filtering +* Location-based search +* Browser test search +* API test filtering + +### Unique Syntax +```text +# Test results +test.type:browser AND status:failed + +# Location filtering +location:aws:us-east-1 AND @dns.response_time:>1s + +# Browser tests +@browser.error:* AND device:chrome +``` +{{% /collapse-content %}} + +{{% collapse-content title="Real User Monitoring (RUM)" level="h4" %}} + +[Detailed RUM Search Documentation →](/real_user_monitoring/explorer/search) + +### Key Capabilities +* User session search +* Performance metrics filtering +* Error tracking +* User journey analysis + +### Unique Syntax +```text +# Session queries +@session.type:user AND @performance.score:<0.5 + +# Error tracking +@error.source:js AND @error.type:TypeError + +# User journey +@user.journey.step:checkout AND @performance.loading_time:>3s +``` +{{% /collapse-content %}} + +{{% collapse-content title="CI Visibility" level="h4" %}} + +[Detailed CI Search Documentation →](/continuous_integration/explorer/search) + +### Key Capabilities +* Pipeline filtering +* Test result search +* Git metadata search +* Coverage metrics filtering + +### Unique Syntax +```text +# Pipeline queries +@ci.pipeline.name:deploy AND @ci.status:failed + +# Test results +@test.suite:integration AND @test.status:failed + +# Git metadata +@git.branch:main AND @git.author.email:*@company.com +``` +{{% /collapse-content %}} + +{{% collapse-content title="Monitor Management" level="h4" %}} + +[Detailed Monitor Search Documentation →](/monitors/manage/search) + +### Key Capabilities +* Monitor status filtering +* Alert condition search +* Notification routing +* SLO tracking + +### Unique Syntax +```text +# Monitor status +status:Alert AND type:metric + +# Alert conditions +query:"avg(last_5m):avg:system.cpu.user{*} > 80" + +# Notification +notification:@slack-alerts AND priority:P1 +``` +{{% /collapse-content %}} + +## Best Practices + +### Choose the Right Search Context +* Use feature-specific search when focusing on a single product +* Combine searches across features for complex investigations +* Leverage common patterns while respecting feature-specific syntax + +### Optimize Your Searches +* Start with feature-specific facets +* Use appropriate time ranges +* Combine with global search patterns when needed + +## Next Steps + +* Review [Core Search Concepts](/getting_started/search/core_concepts) +* Learn [Advanced Search Techniques](/getting_started/search/advanced_techniques) +* Explore specific product documentation linked throughout this guide + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} From b5267622f5315e2e5bcf9727ad3ae491cf4799f7 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Thu, 9 Oct 2025 09:39:03 -0400 Subject: [PATCH 02/10] Edit the landing page --- content/en/getting_started/search/_index.md | 85 ++---- .../en/getting_started/search/fundamentals.md | 178 +++++++++++++ .../search/product_specific_reference.md | 244 ++++++++++++++++++ 3 files changed, 444 insertions(+), 63 deletions(-) create mode 100644 content/en/getting_started/search/fundamentals.md create mode 100644 content/en/getting_started/search/product_specific_reference.md diff --git a/content/en/getting_started/search/_index.md b/content/en/getting_started/search/_index.md index 4aa2cbde56743..3641acd82c6b9 100644 --- a/content/en/getting_started/search/_index.md +++ b/content/en/getting_started/search/_index.md @@ -15,85 +15,44 @@ further_reading: ## Overview -Datadog provides powerful search capabilities across its products and features. This guide introduces you to the fundamental concepts of searching in Datadog and helps you navigate to more detailed, feature-specific documentation. +Datadog provides powerful and flexible search capabilities across its products and features. This guide introduces the core concepts of search syntax in Datadog, helping you understand how to construct effective queries across Logs, Metrics, APM, and more. -## Common Search Patterns +You'll learn about shared search semantics, product-specific syntax, and advanced techniques that enhance your querying experience. Each section also includes examples and links to detailed documentation for further reference. -Across Datadog, you'll encounter these common search patterns: +## Understanding Datadog search -1. **Simple text search**: Find items containing specific text -2. **Tag-based filtering**: Filter by metadata using key:value pairs -3. **Resource filtering**: Target specific resources or metrics -4. **Boolean logic**: Combine multiple conditions -5. **Wildcard matching**: Use pattern matching for flexible searches +Datadog provides a unified way to query data across products using text-based search syntax. All data in Datadog can be explored and filtered through queries, but the syntax and behavior differ depending on the type of data you're working with. There are two primary query formats in Datadog: +- **Metric-based queries**: used in Metrics and Cloud Cost Management (CCM). +- **Event-based queries**: used across most other products, including Logs, APM, RUM, Events, and Security. -## Core Search Components +Although both query types let you filter and analyze data, their syntax is not interchangeable. Each follows its own structure, operators, and supported functions designed for the type of data it handles. -### Boolean Operators +### Metric-Based Queries -Use these operators to combine or exclude search terms: +Metric-based queries are designed to retrieve and analyze numerical time series data. They rely on tags and attributes to filter metrics and often combine functions and arithmetic operations to calculate and visualize trends over time (for example, average latency, error rate, or cost over time). -| Operator | Description | Example | -|----------|-------------|---------| -| `AND` | Both conditions must be true | `service:web AND env:prod` | -| `OR` | Either condition can be true | `status:error OR status:warning` | -| `NOT` | Exclude matches | `service:web NOT env:dev` | +### Event-Based Queries -### Tag-Based Filtering +Event-based queries are used in most Datadog products to explore individual records such as log entries, traces, or browser events. These queries typically support full-text search, faceted filtering, and boolean logic to help users find, group, and analyze relevant events. -Tags are key:value pairs that help you filter and group data: +Compared to metric queries, event-based searches focus on discovering and filtering individual records rather than aggregating numerical values. They form the foundation for exploratory analysis—helping you identify patterns, troubleshoot issues, and drill into specific data before moving to metrics or dashboards for long-term trends. -```text -service:payment-api -env:production -team:backend -``` -### Wildcard Filtering +## Search fundamentals -Use wildcards for flexible matching: +Search Fundamentals introduces the common building blocks of Datadog search. It covers how to construct basic queries, use boolean operators, filter by tags and attributes, and understand how search fields work across products. Mastering these fundamentals helps you adapt quickly to product-specific syntax and avoid common query issues. -* `*` matches multiple characters: `service:web-*` -* `?` matches a single character: `host:web-server-?` +Learn more in [Search Fundamentals][1]. -## Feature-Specific Search +## Product-specific syntax -Different Datadog features offer specialized search capabilities: +Each Datadog product provides its own search syntax, tailored to the type of data it handles. The Product-Specific Search reference highlights the key capabilities and unique operators available in each product, such as log search facets, APM trace filters, or metric aggregation functions. These references help you understand where syntax differs across Datadog products. -{{< tabs >}} -{{% tab "Logs" %}} -* Full-text search -* Structured data queries -* Pattern detection -[Learn more about Log Search →](/logs/explorer/search) -{{% /tab %}} -{{% tab "APM" %}} -* Trace filtering -* Span queries -* Service maps -[Learn more about APM Search →](/tracing/trace_explorer/search) -{{% /tab %}} -{{% tab "Metrics" %}} -* Metric queries -* Tag-based filtering -* Advanced aggregations -[Learn more about Metrics Filtering →](/metrics/advanced-filtering) -{{% /tab %}} -{{< /tabs >}} - -## Getting Started - -1. **Start Simple**: Begin with basic text searches and single tag filters -2. **Add Tags**: Use tags to filter your results more precisely -3. **Combine Filters**: Use boolean operators to create more specific searches -4. **Explore Features**: Learn about feature-specific search capabilities - -## Next Steps - -* Learn more about [Core Search Concepts](/getting_started/search/core_concepts) -* Explore [Advanced Search Techniques](/getting_started/search/advanced_techniques) -* Dive into [Feature-Specific Search](/getting_started/search/feature_specific) +See the index of [Product-Specific Search][2]. ## Further Reading -{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /getting_started/search/fundamentals +[2]: /getting_started/search/product_specific_reference \ No newline at end of file diff --git a/content/en/getting_started/search/fundamentals.md b/content/en/getting_started/search/fundamentals.md new file mode 100644 index 0000000000000..7103b0d0a74d2 --- /dev/null +++ b/content/en/getting_started/search/fundamentals.md @@ -0,0 +1,178 @@ +--- +title: Core Search Concepts +description: Learn the fundamental concepts of searching and filtering in Datadog +further_reading: + - link: "/getting_started/search/advanced_techniques" + tag: "Documentation" + text: "Advanced Search Techniques" + - link: "/getting_started/tagging/using_tags" + tag: "Documentation" + text: "Using Tags in Datadog" +--- + +## Overview + +This guide explains the core concepts of searching in Datadog, including basic syntax, operators, and filtering techniques that are common across all Datadog products. + +## Basic Search Syntax + +### Text Search + +The simplest form of search is plain text: +```text +error +timeout +"database connection" +``` + +* Single words match anywhere in searchable fields +* Use quotes for exact phrase matching +* Searches are case-insensitive by default + +### Attribute Search + +Search specific fields using the `@` prefix: +```text +@http.status_code:500 +@duration:>100 +@service:payment-api +``` + +## Boolean Logic + +### Basic Operators + +| Operator | Usage | Example | +|----------|-------|---------| +| `AND` | Both conditions must be true | `error AND timeout` | +| `OR` | Either condition can be true | `error OR warning` | +| `NOT` | Exclude matches | `error NOT timeout` | + +### Operator Precedence + +1. `NOT` +2. `AND` +3. `OR` + +Use parentheses to control precedence: +```text +(error OR warning) AND service:api +``` + +## Tag Filtering + +### Tag Structure + +Tags follow a `key:value` format: +```text +env:production +service:web +team:backend +``` + +### Multiple Values + +Filter for multiple values using parentheses: +```text +service:(web-server OR api-server) +env:(staging OR production) +``` + +### Exclusion + +Exclude specific tags using `NOT`: +```text +service:web NOT env:dev +``` + +## Wildcard Patterns + +### Available Wildcards + +* `*` - Match zero or more characters +* `?` - Match exactly one character + +### Common Uses + +```text +# Match all production services +service:prod-* + +# Match specific version numbers +version:2.? + +# Match multiple subdomains +host:*.example.com +``` + +### Best Practices + +* Place wildcards at the end of terms when possible +* Avoid leading wildcards when you can be more specific +* Use specific prefixes to improve search performance + +## Numeric Comparisons + +### Available Operators + +* `>` Greater than +* `>=` Greater than or equal +* `<` Less than +* `<=` Less than or equal + +### Examples + +```text +@duration:>100 +@http.status_code:>=500 +@retry_count:<3 +``` + +## Time-Based Search + +### Time Operators + +* `>` After +* `>=` At or after +* `<` Before +* `<=` At or before + +### Examples + +```text +@timestamp:>2023-01-01 +@last_seen:<1h +``` + +## Common Patterns + +### Combining Multiple Conditions + +```text +# Find production errors +service:payment AND status:error AND env:production + +# Find specific HTTP status codes +@http.method:POST AND @http.status_code:[500 TO 599] +``` + +### Resource Filtering + +```text +# Filter by specific resources +resource_name:"/api/v1/users" +container_name:web-* + +# Combine with status +resource_name:"/api/v1/users" AND @http.status_code:429 +``` + +## Next Steps + +* Explore [Advanced Search Techniques](/getting_started/search/advanced_techniques) +* Learn about [Feature-Specific Search](/getting_started/search/feature_specific) +* Understand [Tag Best Practices](/getting_started/tagging/using_tags) + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/product_specific_reference.md b/content/en/getting_started/search/product_specific_reference.md new file mode 100644 index 0000000000000..5a3c88e3814dd --- /dev/null +++ b/content/en/getting_started/search/product_specific_reference.md @@ -0,0 +1,244 @@ +--- +title: Product-specific search +description: Learn about search capabilities across different Datadog products +further_reading: + - link: "/getting_started/search/core_concepts" + tag: "Documentation" + text: "Core Search Concepts" + - link: "/getting_started/search/advanced_techniques" + tag: "Documentation" + text: "Advanced Search Techniques" +--- + +## Overview + +Each product offers unique search capabilities optimized for its use case. Use this guide to explore those capabilities and access related reference materials. + +{{% collapse-content title="Logs Management" level="h4" %}} + +[Detailed Log Search Documentation →](/logs/explorer/search) + +### Key Capabilities +* Full-text search across log messages +* Structured data queries +* Pattern detection +* Advanced facet filtering + +### Unique Syntax +```text +# Message content search +message:"connection timeout" + +# Attribute search +@http.status_code:[500 TO 599] + +# Pattern search +@message:%{date} ERROR %{word:component} failed +``` +{{% /collapse-content %}} + +{{% collapse-content title="APM & Continuous Profiling" level="h4" %}} + +[Detailed APM Search Documentation →](/tracing/trace_explorer/search) + +### Key Capabilities +* Trace filtering +* Span queries +* Service topology search +* Resource filtering + +### Unique Syntax +```text +# Trace queries +service:payment-api AND @http.status_code:500 + +# Service topology +@span.parent.service:frontend AND service:backend + +# Resource patterns +resource_name:"/api/v1/*" AND @http.method:POST +``` +{{% /collapse-content %}} + +{{% collapse-content title="Infrastructure Monitoring" level="h4" %}} + +[Detailed Infrastructure Search Documentation →](/infrastructure/search) + +### Key Capabilities +* Host filtering +* Container search +* Cloud provider resource filtering +* Integration-specific search + +### Unique Syntax +```text +# Host queries +host:prod-* AND platform:linux + +# Container filtering +container_name:web-* AND docker.image:nginx + +# Cloud resources +cloud.provider:aws AND cloud.instance.type:t2.micro +``` +{{% /collapse-content %}} + +{{% collapse-content title="Metrics" level="h4" %}} + +[Detailed Metrics Filtering Documentation →](/metrics/advanced-filtering) + +### Key Capabilities +* Metric name filtering +* Tag-based aggregation +* Rate and threshold queries +* Correlation searches + +### Unique Syntax +```text +# Metric filtering +metric.name:system.cpu.idle AND host:prod-* + +# Tag aggregation +avg:system.cpu.user{service:web} by {host} + +# Rate queries +rate(metric.name):>100 +``` +{{% /collapse-content %}} + +{{% collapse-content title="Security Monitoring" level="h4" %}} + +[Detailed Security Search Documentation →](/security_monitoring/search) + +### Key Capabilities +* Security signal search +* Threat detection queries +* Compliance filtering +* CSPM rules search + +### Unique Syntax +```text +# Security signals +security:attack AND severity:high + +# Compliance status +compliance.status:failed AND framework:pci + +# Threat detection +threat.source:ip AND threat.level:critical +``` +{{% /collapse-content %}} + +{{% collapse-content title="Synthetic Monitoring" level="h4" %}} + +[Detailed Synthetics Search Documentation →](/synthetics/search) + +### Key Capabilities +* Test result filtering +* Location-based search +* Browser test search +* API test filtering + +### Unique Syntax +```text +# Test results +test.type:browser AND status:failed + +# Location filtering +location:aws:us-east-1 AND @dns.response_time:>1s + +# Browser tests +@browser.error:* AND device:chrome +``` +{{% /collapse-content %}} + +{{% collapse-content title="Real User Monitoring (RUM)" level="h4" %}} + +[Detailed RUM Search Documentation →](/real_user_monitoring/explorer/search) + +### Key Capabilities +* User session search +* Performance metrics filtering +* Error tracking +* User journey analysis + +### Unique Syntax +```text +# Session queries +@session.type:user AND @performance.score:<0.5 + +# Error tracking +@error.source:js AND @error.type:TypeError + +# User journey +@user.journey.step:checkout AND @performance.loading_time:>3s +``` +{{% /collapse-content %}} + +{{% collapse-content title="CI Visibility" level="h4" %}} + +[Detailed CI Search Documentation →](/continuous_integration/explorer/search) + +### Key Capabilities +* Pipeline filtering +* Test result search +* Git metadata search +* Coverage metrics filtering + +### Unique Syntax +```text +# Pipeline queries +@ci.pipeline.name:deploy AND @ci.status:failed + +# Test results +@test.suite:integration AND @test.status:failed + +# Git metadata +@git.branch:main AND @git.author.email:*@company.com +``` +{{% /collapse-content %}} + +{{% collapse-content title="Monitor Management" level="h4" %}} + +[Detailed Monitor Search Documentation →](/monitors/manage/search) + +### Key Capabilities +* Monitor status filtering +* Alert condition search +* Notification routing +* SLO tracking + +### Unique Syntax +```text +# Monitor status +status:Alert AND type:metric + +# Alert conditions +query:"avg(last_5m):avg:system.cpu.user{*} > 80" + +# Notification +notification:@slack-alerts AND priority:P1 +``` +{{% /collapse-content %}} + +## Best Practices + +### Choose the Right Search Context +* Use feature-specific search when focusing on a single product +* Combine searches across features for complex investigations +* Leverage common patterns while respecting feature-specific syntax + +### Optimize Your Searches +* Start with feature-specific facets +* Use appropriate time ranges +* Combine with global search patterns when needed + +## Next Steps + +* Review [Core Search Concepts](/getting_started/search/core_concepts) +* Learn [Advanced Search Techniques](/getting_started/search/advanced_techniques) +* Explore specific product documentation linked throughout this guide + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} From 334d32b5a2237967d4bb4f3a44b8aeab1d335299 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Thu, 9 Oct 2025 14:21:44 -0400 Subject: [PATCH 03/10] Add to left nav --- config/_default/menus/main.en.yaml | 51 +++++++++++++++++++----------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 59d76e7032a44..83951969d1202 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -155,96 +155,111 @@ menu: url: getting_started/profiler/ parent: getting_started weight: 17 + - name: Search + identifier: getting_started_search + url: getting_started/search/ + parent: getting_started + weight: 18 + - name: Search Fundamentals + identifier: getting_started_search_fundamentals + url: getting_started/search/fundamentals + parent: getting_started_search + weight: 1801 + - name: Product-Specific Search + identifier: getting_started_search_product_specific + url: getting_started/search/product_specific_reference + parent: getting_started_search + weight: 1802 - name: Session Replay identifier: getting_started_session_replay url: getting_started/session_replay/ parent: getting_started - weight: 18 + weight: 19 - name: Security identifier: getting_started_security url: getting_started/security/ parent: getting_started - weight: 19 + weight: 20 - name: App and API Protection identifier: getting_started_application_security url: getting_started/security/application_security parent: getting_started_security - weight: 1901 + weight: 2001 - name: Cloud Security identifier: getting_started_cloud_security_management url: getting_started/security/cloud_security_management/ parent: getting_started_security - weight: 1902 + weight: 2002 - name: Cloud SIEM identifier: getting_started_cloud_siem url: getting_started/security/cloud_siem/ parent: getting_started_security - weight: 1903 + weight: 2003 - name: Code Security identifier: getting_started_code_security url: getting_started/code_security/ parent: getting_started_security - weight: 1904 + weight: 2004 - name: Serverless for AWS Lambda identifier: getting_started_serverless url: getting_started/serverless/ parent: getting_started - weight: 20 + weight: 21 - name: Software Delivery identifier: getting_started_software_delivery url: getting_started/software_delivery/ parent: getting_started - weight: 21 + weight: 22 - name: CI Visibility identifier: getting_started_ci_visibility url: getting_started/ci_visibility/ parent: getting_started_software_delivery - weight: 2101 + weight: 2201 - name: Feature Flags identifier: getting_started_feature_flags url: getting_started/feature_flags/ parent: getting_started_software_delivery - weight: 2102 + weight: 2202 - name: Test Optimization identifier: getting_started_test_optimization url: getting_started/test_optimization/ parent: getting_started_software_delivery - weight: 2103 + weight: 2203 - name: Test Impact Analysis identifier: getting_started_test_impact_analysis url: getting_started/test_impact_analysis/ parent: getting_started_software_delivery - weight: 2104 + weight: 2204 - name: Synthetic Monitoring and Testing identifier: getting_started_synthetics url: getting_started/synthetics/ parent: getting_started - weight: 22 + weight: 23 - name: API Tests identifier: getting_started_api_test url: getting_started/synthetics/api_test parent: getting_started_synthetics - weight: 2201 + weight: 2301 - name: Browser Tests identifier: getting_started_browser_test url: getting_started/synthetics/browser_test parent: getting_started_synthetics - weight: 2202 + weight: 2302 - name: Mobile App Tests identifier: getting_started_mobile_app url: getting_started/synthetics/mobile_app_testing parent: getting_started_synthetics - weight: 2203 + weight: 2303 - name: Continuous Testing identifier: getting_started_continuous_testing url: getting_started/continuous_testing/ parent: getting_started_synthetics - weight: 2204 + weight: 2304 - name: Private Locations identifier: getting_started_private_location url: getting_started/synthetics/private_location parent: getting_started_synthetics - weight: 2205 + weight: 2305 - name: Tags identifier: tagging_ url: getting_started/tagging/ From 936a4b3800d8fdcd212cecd63b69f3a4e23aeffa Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Thu, 9 Oct 2025 15:45:12 -0400 Subject: [PATCH 04/10] Final edits, add syntax examples --- config/_default/menus/main.en.yaml | 7 +- content/en/getting_started/search/_index.md | 24 +- .../search/advanced_techniques.md | 214 ------------- .../getting_started/search/core_concepts.md | 178 ----------- .../search/feature_specific.md | 244 --------------- .../en/getting_started/search/fundamentals.md | 178 ----------- .../search/product_specific_reference.md | 282 ++++++------------ 7 files changed, 98 insertions(+), 1029 deletions(-) delete mode 100644 content/en/getting_started/search/advanced_techniques.md delete mode 100644 content/en/getting_started/search/core_concepts.md delete mode 100644 content/en/getting_started/search/feature_specific.md delete mode 100644 content/en/getting_started/search/fundamentals.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 83951969d1202..a93a387bedd52 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -160,16 +160,11 @@ menu: url: getting_started/search/ parent: getting_started weight: 18 - - name: Search Fundamentals - identifier: getting_started_search_fundamentals - url: getting_started/search/fundamentals - parent: getting_started_search - weight: 1801 - name: Product-Specific Search identifier: getting_started_search_product_specific url: getting_started/search/product_specific_reference parent: getting_started_search - weight: 1802 + weight: 1801 - name: Session Replay identifier: getting_started_session_replay url: getting_started/session_replay/ diff --git a/content/en/getting_started/search/_index.md b/content/en/getting_started/search/_index.md index 3641acd82c6b9..8a89f34f391a5 100644 --- a/content/en/getting_started/search/_index.md +++ b/content/en/getting_started/search/_index.md @@ -2,15 +2,9 @@ title: Getting Started with Search in Datadog description: Learn the fundamentals of searching and filtering across Datadog products further_reading: - - link: "/getting_started/search/core_concepts" - tag: "Documentation" - text: "Core Search Concepts" - - link: "/getting_started/search/advanced_techniques" - tag: "Documentation" - text: "Advanced Search Techniques" - - link: "/getting_started/search/feature_specific" - tag: "Documentation" - text: "Feature-Specific Search Guide" +- link: "/getting_started/search/product_specific_reference" + tag: "Documentation" + text: "Product-Specific Search" --- ## Overview @@ -37,22 +31,14 @@ Event-based queries are used in most Datadog products to explore individual reco Compared to metric queries, event-based searches focus on discovering and filtering individual records rather than aggregating numerical values. They form the foundation for exploratory analysis—helping you identify patterns, troubleshoot issues, and drill into specific data before moving to metrics or dashboards for long-term trends. - -## Search fundamentals - -Search Fundamentals introduces the common building blocks of Datadog search. It covers how to construct basic queries, use boolean operators, filter by tags and attributes, and understand how search fields work across products. Mastering these fundamentals helps you adapt quickly to product-specific syntax and avoid common query issues. - -Learn more in [Search Fundamentals][1]. - ## Product-specific syntax Each Datadog product provides its own search syntax, tailored to the type of data it handles. The Product-Specific Search reference highlights the key capabilities and unique operators available in each product, such as log search facets, APM trace filters, or metric aggregation functions. These references help you understand where syntax differs across Datadog products. -See the index of [Product-Specific Search][2]. +See the index of [Product-Specific Search][1]. ## Further Reading {{< partial name="whats-next/whats-next.html" >}} -[1]: /getting_started/search/fundamentals -[2]: /getting_started/search/product_specific_reference \ No newline at end of file +[1]: /getting_started/search/product_specific_reference \ No newline at end of file diff --git a/content/en/getting_started/search/advanced_techniques.md b/content/en/getting_started/search/advanced_techniques.md deleted file mode 100644 index 91dd9d3a8df25..0000000000000 --- a/content/en/getting_started/search/advanced_techniques.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -title: Advanced Search Techniques -description: Learn advanced techniques for searching and filtering in Datadog -further_reading: - - link: "/getting_started/search/core_concepts" - tag: "Documentation" - text: "Core Search Concepts" - - link: "/getting_started/search/feature_specific" - tag: "Documentation" - text: "Feature-Specific Search Guide" ---- - -## Overview - -This guide covers advanced search techniques in Datadog, building on the fundamentals covered in [Core Search Concepts](/getting_started/search/core_concepts). - -## Complex Query Patterns - -### Nested Boolean Logic - -Combine multiple conditions with parentheses for complex filtering: -```text -(service:api AND (@http.status_code:>=500 OR @error.type:timeout)) -AND env:production -NOT team:deprecated -``` - -### Range Queries - -Use ranges for numeric and time-based searches: -```text -# Numeric ranges -@duration:[100 TO 1000] -@http.status_code:[400 TO 499] - -# Time ranges -@timestamp:[2023-01-01 TO 2023-01-31] -@last_modified:[now-1h TO now] -``` - -## Advanced Filtering Techniques - -### Faceted Search - -Use facets to filter on specific attributes: -```text -# Filter by multiple facet values -@facet_name:(value1 OR value2) - -# Exclude facet values -@facet_name NOT (value1 OR value2) -``` - -### Pattern Matching - -Advanced wildcard and pattern usage: -```text -# Multiple wildcards -service:*-api-* - -# Prefix matching -@error.stack:Exception* - -# Suffix matching -@http.url:*.pdf -``` - -## Resource-Based Filtering - -### Service Topology - -Filter based on service relationships: -```text -# Find traces where service A calls service B -service:service-a AND @span.child_of.service:service-b - -# Find all downstream services -@span.child_of.service:parent-service -``` - -### Infrastructure Filtering - -Target specific infrastructure components: -```text -# Container-based filtering -container_name:web-* AND @docker.image:nginx - -# Kubernetes filtering -kube_namespace:production AND kube_deployment:frontend -``` - -## Advanced Tag Usage - -### Tag Aggregation - -Combine multiple tag conditions: -```text -# Match all tags -service:api AND env:prod AND team:backend - -# Match any tag -service:(api OR web) AND env:(staging OR prod) -``` - -### Tag Hierarchies - -Use tag hierarchies for precise filtering: -```text -# Environment hierarchy -env:prod.us-east.web - -# Application hierarchy -app:ecommerce.payment.processor -``` - -## Metric Query Patterns - -### Rate and Aggregation - -Filter based on metric behavior: -```text -# High rate of change -rate(@metric_name):>100 - -# Aggregation thresholds -avg(@metric_name):>1000 -``` - -### Correlation - -Find related metrics: -```text -# Correlated metrics -@metric_name1:>100 AND @metric_name2:<50 - -# Service correlation -service:api AND @error_rate:>0.1 -``` - -## Log Query Patterns - -### Full-Text Search - -Advanced text matching: -```text -# Proximity search -"error database"~5 - -# Fuzzy matching -"authentication"~ -``` - -### Log Attributes - -Complex attribute filtering: -```text -# Multiple attribute conditions -@http.method:POST AND @http.url:*/api/v1/* AND @duration:>1000 - -# Nested attribute matching -@user.data.preferences.theme:dark -``` - -## APM Query Patterns - -### Trace Filtering - -Advanced trace search: -```text -# Error patterns -@error.type:TimeoutError AND @http.url:*/api/* - -# Performance patterns -@duration:>100ms AND @span.kind:server -``` - -### Service Graphs - -Filter service relationships: -```text -# Direct dependencies -@span.parent.service:frontend AND service:backend - -# Service chains -service:gateway AND @span.child_of.service:auth -``` - -## Best Practices - -### Query Optimization - -1. **Use Specific Fields** - - Prefer attribute searches over full-text - - Use faceted fields when available - -2. **Optimize Performance** - - Place specific filters first - - Avoid leading wildcards - - Use time ranges effectively - -3. **Structure Queries** - - Group related conditions - - Use consistent patterns - - Document complex queries - -## Next Steps - -* Explore [Feature-Specific Search](/getting_started/search/feature_specific) -* Learn about [Log Management](/logs/explorer/search) -* Understand [APM & Continuous Profiling](/tracing/trace_explorer/search) - -## Further Reading - -{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/core_concepts.md b/content/en/getting_started/search/core_concepts.md deleted file mode 100644 index 7103b0d0a74d2..0000000000000 --- a/content/en/getting_started/search/core_concepts.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Core Search Concepts -description: Learn the fundamental concepts of searching and filtering in Datadog -further_reading: - - link: "/getting_started/search/advanced_techniques" - tag: "Documentation" - text: "Advanced Search Techniques" - - link: "/getting_started/tagging/using_tags" - tag: "Documentation" - text: "Using Tags in Datadog" ---- - -## Overview - -This guide explains the core concepts of searching in Datadog, including basic syntax, operators, and filtering techniques that are common across all Datadog products. - -## Basic Search Syntax - -### Text Search - -The simplest form of search is plain text: -```text -error -timeout -"database connection" -``` - -* Single words match anywhere in searchable fields -* Use quotes for exact phrase matching -* Searches are case-insensitive by default - -### Attribute Search - -Search specific fields using the `@` prefix: -```text -@http.status_code:500 -@duration:>100 -@service:payment-api -``` - -## Boolean Logic - -### Basic Operators - -| Operator | Usage | Example | -|----------|-------|---------| -| `AND` | Both conditions must be true | `error AND timeout` | -| `OR` | Either condition can be true | `error OR warning` | -| `NOT` | Exclude matches | `error NOT timeout` | - -### Operator Precedence - -1. `NOT` -2. `AND` -3. `OR` - -Use parentheses to control precedence: -```text -(error OR warning) AND service:api -``` - -## Tag Filtering - -### Tag Structure - -Tags follow a `key:value` format: -```text -env:production -service:web -team:backend -``` - -### Multiple Values - -Filter for multiple values using parentheses: -```text -service:(web-server OR api-server) -env:(staging OR production) -``` - -### Exclusion - -Exclude specific tags using `NOT`: -```text -service:web NOT env:dev -``` - -## Wildcard Patterns - -### Available Wildcards - -* `*` - Match zero or more characters -* `?` - Match exactly one character - -### Common Uses - -```text -# Match all production services -service:prod-* - -# Match specific version numbers -version:2.? - -# Match multiple subdomains -host:*.example.com -``` - -### Best Practices - -* Place wildcards at the end of terms when possible -* Avoid leading wildcards when you can be more specific -* Use specific prefixes to improve search performance - -## Numeric Comparisons - -### Available Operators - -* `>` Greater than -* `>=` Greater than or equal -* `<` Less than -* `<=` Less than or equal - -### Examples - -```text -@duration:>100 -@http.status_code:>=500 -@retry_count:<3 -``` - -## Time-Based Search - -### Time Operators - -* `>` After -* `>=` At or after -* `<` Before -* `<=` At or before - -### Examples - -```text -@timestamp:>2023-01-01 -@last_seen:<1h -``` - -## Common Patterns - -### Combining Multiple Conditions - -```text -# Find production errors -service:payment AND status:error AND env:production - -# Find specific HTTP status codes -@http.method:POST AND @http.status_code:[500 TO 599] -``` - -### Resource Filtering - -```text -# Filter by specific resources -resource_name:"/api/v1/users" -container_name:web-* - -# Combine with status -resource_name:"/api/v1/users" AND @http.status_code:429 -``` - -## Next Steps - -* Explore [Advanced Search Techniques](/getting_started/search/advanced_techniques) -* Learn about [Feature-Specific Search](/getting_started/search/feature_specific) -* Understand [Tag Best Practices](/getting_started/tagging/using_tags) - -## Further Reading - -{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/feature_specific.md b/content/en/getting_started/search/feature_specific.md deleted file mode 100644 index 47c61c8dd16fd..0000000000000 --- a/content/en/getting_started/search/feature_specific.md +++ /dev/null @@ -1,244 +0,0 @@ ---- -title: Feature-Specific Search Guide -description: Learn about search capabilities across different Datadog products -further_reading: - - link: "/getting_started/search/core_concepts" - tag: "Documentation" - text: "Core Search Concepts" - - link: "/getting_started/search/advanced_techniques" - tag: "Documentation" - text: "Advanced Search Techniques" ---- - -## Overview - -While Datadog maintains consistent search patterns across its platform, each product has unique search capabilities tailored to its specific use case. This guide helps you navigate these feature-specific search capabilities. - -{{% collapse-content title="Logs Management" level="h4" %}} - -[Detailed Log Search Documentation →](/logs/explorer/search) - -### Key Capabilities -* Full-text search across log messages -* Structured data queries -* Pattern detection -* Advanced facet filtering - -### Unique Syntax -```text -# Message content search -message:"connection timeout" - -# Attribute search -@http.status_code:[500 TO 599] - -# Pattern search -@message:%{date} ERROR %{word:component} failed -``` -{{% /collapse-content %}} - -{{% collapse-content title="APM & Continuous Profiling" level="h4" %}} - -[Detailed APM Search Documentation →](/tracing/trace_explorer/search) - -### Key Capabilities -* Trace filtering -* Span queries -* Service topology search -* Resource filtering - -### Unique Syntax -```text -# Trace queries -service:payment-api AND @http.status_code:500 - -# Service topology -@span.parent.service:frontend AND service:backend - -# Resource patterns -resource_name:"/api/v1/*" AND @http.method:POST -``` -{{% /collapse-content %}} - -{{% collapse-content title="Infrastructure Monitoring" level="h4" %}} - -[Detailed Infrastructure Search Documentation →](/infrastructure/search) - -### Key Capabilities -* Host filtering -* Container search -* Cloud provider resource filtering -* Integration-specific search - -### Unique Syntax -```text -# Host queries -host:prod-* AND platform:linux - -# Container filtering -container_name:web-* AND docker.image:nginx - -# Cloud resources -cloud.provider:aws AND cloud.instance.type:t2.micro -``` -{{% /collapse-content %}} - -{{% collapse-content title="Metrics" level="h4" %}} - -[Detailed Metrics Filtering Documentation →](/metrics/advanced-filtering) - -### Key Capabilities -* Metric name filtering -* Tag-based aggregation -* Rate and threshold queries -* Correlation searches - -### Unique Syntax -```text -# Metric filtering -metric.name:system.cpu.idle AND host:prod-* - -# Tag aggregation -avg:system.cpu.user{service:web} by {host} - -# Rate queries -rate(metric.name):>100 -``` -{{% /collapse-content %}} - -{{% collapse-content title="Security Monitoring" level="h4" %}} - -[Detailed Security Search Documentation →](/security_monitoring/search) - -### Key Capabilities -* Security signal search -* Threat detection queries -* Compliance filtering -* CSPM rules search - -### Unique Syntax -```text -# Security signals -security:attack AND severity:high - -# Compliance status -compliance.status:failed AND framework:pci - -# Threat detection -threat.source:ip AND threat.level:critical -``` -{{% /collapse-content %}} - -{{% collapse-content title="Synthetic Monitoring" level="h4" %}} - -[Detailed Synthetics Search Documentation →](/synthetics/search) - -### Key Capabilities -* Test result filtering -* Location-based search -* Browser test search -* API test filtering - -### Unique Syntax -```text -# Test results -test.type:browser AND status:failed - -# Location filtering -location:aws:us-east-1 AND @dns.response_time:>1s - -# Browser tests -@browser.error:* AND device:chrome -``` -{{% /collapse-content %}} - -{{% collapse-content title="Real User Monitoring (RUM)" level="h4" %}} - -[Detailed RUM Search Documentation →](/real_user_monitoring/explorer/search) - -### Key Capabilities -* User session search -* Performance metrics filtering -* Error tracking -* User journey analysis - -### Unique Syntax -```text -# Session queries -@session.type:user AND @performance.score:<0.5 - -# Error tracking -@error.source:js AND @error.type:TypeError - -# User journey -@user.journey.step:checkout AND @performance.loading_time:>3s -``` -{{% /collapse-content %}} - -{{% collapse-content title="CI Visibility" level="h4" %}} - -[Detailed CI Search Documentation →](/continuous_integration/explorer/search) - -### Key Capabilities -* Pipeline filtering -* Test result search -* Git metadata search -* Coverage metrics filtering - -### Unique Syntax -```text -# Pipeline queries -@ci.pipeline.name:deploy AND @ci.status:failed - -# Test results -@test.suite:integration AND @test.status:failed - -# Git metadata -@git.branch:main AND @git.author.email:*@company.com -``` -{{% /collapse-content %}} - -{{% collapse-content title="Monitor Management" level="h4" %}} - -[Detailed Monitor Search Documentation →](/monitors/manage/search) - -### Key Capabilities -* Monitor status filtering -* Alert condition search -* Notification routing -* SLO tracking - -### Unique Syntax -```text -# Monitor status -status:Alert AND type:metric - -# Alert conditions -query:"avg(last_5m):avg:system.cpu.user{*} > 80" - -# Notification -notification:@slack-alerts AND priority:P1 -``` -{{% /collapse-content %}} - -## Best Practices - -### Choose the Right Search Context -* Use feature-specific search when focusing on a single product -* Combine searches across features for complex investigations -* Leverage common patterns while respecting feature-specific syntax - -### Optimize Your Searches -* Start with feature-specific facets -* Use appropriate time ranges -* Combine with global search patterns when needed - -## Next Steps - -* Review [Core Search Concepts](/getting_started/search/core_concepts) -* Learn [Advanced Search Techniques](/getting_started/search/advanced_techniques) -* Explore specific product documentation linked throughout this guide - -## Further Reading - -{{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/getting_started/search/fundamentals.md b/content/en/getting_started/search/fundamentals.md deleted file mode 100644 index 7103b0d0a74d2..0000000000000 --- a/content/en/getting_started/search/fundamentals.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Core Search Concepts -description: Learn the fundamental concepts of searching and filtering in Datadog -further_reading: - - link: "/getting_started/search/advanced_techniques" - tag: "Documentation" - text: "Advanced Search Techniques" - - link: "/getting_started/tagging/using_tags" - tag: "Documentation" - text: "Using Tags in Datadog" ---- - -## Overview - -This guide explains the core concepts of searching in Datadog, including basic syntax, operators, and filtering techniques that are common across all Datadog products. - -## Basic Search Syntax - -### Text Search - -The simplest form of search is plain text: -```text -error -timeout -"database connection" -``` - -* Single words match anywhere in searchable fields -* Use quotes for exact phrase matching -* Searches are case-insensitive by default - -### Attribute Search - -Search specific fields using the `@` prefix: -```text -@http.status_code:500 -@duration:>100 -@service:payment-api -``` - -## Boolean Logic - -### Basic Operators - -| Operator | Usage | Example | -|----------|-------|---------| -| `AND` | Both conditions must be true | `error AND timeout` | -| `OR` | Either condition can be true | `error OR warning` | -| `NOT` | Exclude matches | `error NOT timeout` | - -### Operator Precedence - -1. `NOT` -2. `AND` -3. `OR` - -Use parentheses to control precedence: -```text -(error OR warning) AND service:api -``` - -## Tag Filtering - -### Tag Structure - -Tags follow a `key:value` format: -```text -env:production -service:web -team:backend -``` - -### Multiple Values - -Filter for multiple values using parentheses: -```text -service:(web-server OR api-server) -env:(staging OR production) -``` - -### Exclusion - -Exclude specific tags using `NOT`: -```text -service:web NOT env:dev -``` - -## Wildcard Patterns - -### Available Wildcards - -* `*` - Match zero or more characters -* `?` - Match exactly one character - -### Common Uses - -```text -# Match all production services -service:prod-* - -# Match specific version numbers -version:2.? - -# Match multiple subdomains -host:*.example.com -``` - -### Best Practices - -* Place wildcards at the end of terms when possible -* Avoid leading wildcards when you can be more specific -* Use specific prefixes to improve search performance - -## Numeric Comparisons - -### Available Operators - -* `>` Greater than -* `>=` Greater than or equal -* `<` Less than -* `<=` Less than or equal - -### Examples - -```text -@duration:>100 -@http.status_code:>=500 -@retry_count:<3 -``` - -## Time-Based Search - -### Time Operators - -* `>` After -* `>=` At or after -* `<` Before -* `<=` At or before - -### Examples - -```text -@timestamp:>2023-01-01 -@last_seen:<1h -``` - -## Common Patterns - -### Combining Multiple Conditions - -```text -# Find production errors -service:payment AND status:error AND env:production - -# Find specific HTTP status codes -@http.method:POST AND @http.status_code:[500 TO 599] -``` - -### Resource Filtering - -```text -# Filter by specific resources -resource_name:"/api/v1/users" -container_name:web-* - -# Combine with status -resource_name:"/api/v1/users" AND @http.status_code:429 -``` - -## Next Steps - -* Explore [Advanced Search Techniques](/getting_started/search/advanced_techniques) -* Learn about [Feature-Specific Search](/getting_started/search/feature_specific) -* Understand [Tag Best Practices](/getting_started/tagging/using_tags) - -## Further Reading - -{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/getting_started/search/product_specific_reference.md b/content/en/getting_started/search/product_specific_reference.md index 5a3c88e3814dd..5552084dcaf0e 100644 --- a/content/en/getting_started/search/product_specific_reference.md +++ b/content/en/getting_started/search/product_specific_reference.md @@ -1,244 +1,146 @@ --- -title: Product-specific search +title: Product-Specific Search description: Learn about search capabilities across different Datadog products further_reading: - - link: "/getting_started/search/core_concepts" - tag: "Documentation" - text: "Core Search Concepts" - - link: "/getting_started/search/advanced_techniques" - tag: "Documentation" - text: "Advanced Search Techniques" +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search" --- ## Overview -Each product offers unique search capabilities optimized for its use case. Use this guide to explore those capabilities and access related reference materials. +Each Datadog product offers unique search capabilities optimized for its use case. This page provides a comprehensive index of product-specific search syntax resources to help you find the right documentation for your needs. -{{% collapse-content title="Logs Management" level="h4" %}} +## Search syntax families -[Detailed Log Search Documentation →](/logs/explorer/search) +There are two main families of search syntaxes across Datadog products: -### Key Capabilities -* Full-text search across log messages -* Structured data queries -* Pattern detection -* Advanced facet filtering +**Metrics-based syntax**: Used by Metrics and Cloud Cost Management for time-series data queries with tag-based filtering and aggregation. -### Unique Syntax -```text -# Message content search -message:"connection timeout" - -# Attribute search -@http.status_code:[500 TO 599] +**Event-based syntax**: Used by Log Management and adopted by most other Datadog products including traces, RUM, CI/CD, and more. This syntax provides flexible faceted search with boolean operators and pattern matching. -# Pattern search -@message:%{date} ERROR %{word:component} failed -``` -{{% /collapse-content %}} +## Metrics -{{% collapse-content title="APM & Continuous Profiling" level="h4" %}} +Metrics use a specialized metrics-based syntax for filtering and aggregating time-series data. -[Detailed APM Search Documentation →](/tracing/trace_explorer/search) +For more information, see [Advanced Filtering][1]. -### Key Capabilities -* Trace filtering -* Span queries -* Service topology search -* Resource filtering +### Key capabilties +* Tag-based filtering with boolean logic (`AND`, `OR`, `NOT`) or symbolic operators (`&&`, `||`, `!`) +* Wildcard matching on metric names and tag values +* Aggregation by multiple tag dimensions +* Template variable filtering for dynamic dashboards +* Metric namespace filtering for organized queries +* **Case-sensitive matching** for metric names -### Unique Syntax +{{% collapse-content title="Syntax examples" level="h5" expanded=false %}} ```text -# Trace queries -service:payment-api AND @http.status_code:500 - -# Service topology -@span.parent.service:frontend AND service:backend +# Filter metrics by tag +system.cpu.idle{host:prod-*} -# Resource patterns -resource_name:"/api/v1/*" AND @http.method:POST -``` -{{% /collapse-content %}} - -{{% collapse-content title="Infrastructure Monitoring" level="h4" %}} +# Boolean operators for tag filtering +avg:system.cpu.user{env:staging AND (availability-zone:us-east-1a OR availability-zone:us-east-1c)} by {availability-zone} -[Detailed Infrastructure Search Documentation →](/infrastructure/search) +# Combine multiple tag filters +system.disk.used{env:production,datacenter:us-east-1} -### Key Capabilities -* Host filtering -* Container search -* Cloud provider resource filtering -* Integration-specific search +# Wildcard filtered query +avg:system.disk.in_use{!device:/dev/loop*} by {device} -### Unique Syntax -```text -# Host queries -host:prod-* AND platform:linux - -# Container filtering -container_name:web-* AND docker.image:nginx +# Wildcard matching on tags +aws.ec2.cpuutilization{instance-type:t3.*} -# Cloud resources -cloud.provider:aws AND cloud.instance.type:t2.micro +# Exclude specific tags +system.mem.used{env:production AND NOT service:test} ``` {{% /collapse-content %}} -{{% collapse-content title="Metrics" level="h4" %}} -[Detailed Metrics Filtering Documentation →](/metrics/advanced-filtering) +## Logs -### Key Capabilities -* Metric name filtering -* Tag-based aggregation -* Rate and threshold queries -* Correlation searches +Log Management uses event-based search syntax, serving as the foundation for many other products' search capabilities. -### Unique Syntax -```text -# Metric filtering -metric.name:system.cpu.idle AND host:prod-* +For a complete reference for log search operators, wildcards, facets, and advanced queries, see [Log Search Syntax][2]. -# Tag aggregation -avg:system.cpu.user{service:web} by {host} +### Key capabilities +* Full-text search across log messages with wildcards and phrase matching +* Structured faceted search on attributes (tags, custom fields, standard attributes) +* Pattern detection and extraction using parsing patterns +* Advanced boolean operators (AND, OR, NOT) and grouping +* Range queries for numerical values and timestamps -# Rate queries -rate(metric.name):>100 -``` -{{% /collapse-content %}} - -{{% collapse-content title="Security Monitoring" level="h4" %}} - -[Detailed Security Search Documentation →](/security_monitoring/search) - -### Key Capabilities -* Security signal search -* Threat detection queries -* Compliance filtering -* CSPM rules search - -### Unique Syntax +{{% collapse-content title="Syntax examples" level="h5" expanded=false %}} ```text -# Security signals -security:attack AND severity:high - -# Compliance status -compliance.status:failed AND framework:pci - -# Threat detection -threat.source:ip AND threat.level:critical -``` -{{% /collapse-content %}} - -{{% collapse-content title="Synthetic Monitoring" level="h4" %}} +# Search for error messages containing "timeout" +status:error "timeout" -[Detailed Synthetics Search Documentation →](/synthetics/search) - -### Key Capabilities -* Test result filtering -* Location-based search -* Browser test search -* API test filtering +# Query HTTP errors with status codes 500-599 +@http.status_code:[500 TO 599] -### Unique Syntax -```text -# Test results -test.type:browser AND status:failed +# Combine multiple conditions +service:web-api AND env:production AND @duration:>1000 -# Location filtering -location:aws:us-east-1 AND @dns.response_time:>1s +# Wildcard search for specific services +service:payment-* AND status:error -# Browser tests -@browser.error:* AND device:chrome +# Exclude specific values +env:production NOT service:background-worker ``` {{% /collapse-content %}} -{{% collapse-content title="Real User Monitoring (RUM)" level="h4" %}} - -[Detailed RUM Search Documentation →](/real_user_monitoring/explorer/search) - -### Key Capabilities -* User session search -* Performance metrics filtering -* Error tracking -* User journey analysis - -### Unique Syntax -```text -# Session queries -@session.type:user AND @performance.score:<0.5 - -# Error tracking -@error.source:js AND @error.type:TypeError - -# User journey -@user.journey.step:checkout AND @performance.loading_time:>3s -``` -{{% /collapse-content %}} +## Traces -{{% collapse-content title="CI Visibility" level="h4" %}} +APM and Distributed Tracing use event-based search syntax for querying spans and traces. -[Detailed CI Search Documentation →](/continuous_integration/explorer/search) +To learn more about querying spans and traces with service, resource, and tag filters, see [Trace Query Syntax][3]. -### Key Capabilities -* Pipeline filtering -* Test result search -* Git metadata search -* Coverage metrics filtering +### Key capabilites +* Query spans by service, operation, and resource name +* Filter by trace-level and span-level tags +* Search across distributed traces spanning multiple services +* Duration-based queries for performance analysis +* Error tracking with status codes and error messages -### Unique Syntax +{{% collapse-content title="Syntax examples" level="h5" expanded=false %}} ```text -# Pipeline queries -@ci.pipeline.name:deploy AND @ci.status:failed +# Find errors in a specific service +service:payment-api status:error -# Test results -@test.suite:integration AND @test.status:failed +# Query by resource and HTTP method +resource_name:"/api/v1/checkout" @http.method:POST -# Git metadata -@git.branch:main AND @git.author.email:*@company.com -``` -{{% /collapse-content %}} - -{{% collapse-content title="Monitor Management" level="h4" %}} +# Search for slow traces +service:web-api* @duration:>1s -[Detailed Monitor Search Documentation →](/monitors/manage/search) - -### Key Capabilities -* Monitor status filtering -* Alert condition search -* Notification routing -* SLO tracking - -### Unique Syntax -```text -# Monitor status -status:Alert AND type:metric +# Trace queries across service dependencies +@span.parent.service:frontend service:backend -# Alert conditions -query:"avg(last_5m):avg:system.cpu.user{*} > 80" - -# Notification -notification:@slack-alerts AND priority:P1 +# Filter by custom span tags +service:database @db.statement:"SELECT *" @db.row_count:>1000 ``` {{% /collapse-content %}} -## Best Practices - -### Choose the Right Search Context -* Use feature-specific search when focusing on a single product -* Combine searches across features for complex investigations -* Leverage common patterns while respecting feature-specific syntax - -### Optimize Your Searches -* Start with feature-specific facets -* Use appropriate time ranges -* Combine with global search patterns when needed +## Additional product-specific resources + +{{< whatsnext desc="Product-specific search syntax documentation for additional Datadog products:" >}} + {{< nextlink href="/continuous_integration/explorer/search_syntax" >}}CI Visibility Explorer: Query pipelines, tests, and CI/CD events{{< /nextlink >}} + {{< nextlink href="/continuous_delivery/explorer/search_syntax" >}}CD Visibility Explorer: Search and filter deployment events and executions{{< /nextlink >}} + {{< nextlink href="/monitors/manage/search" >}}Monitor Search: Find and filter monitors by status, type, tags, and alert conditions{{< /nextlink >}} + {{< nextlink href="/observability_pipelines/processors/filter" >}}Observability Pipelines Filter Processor: Query syntax for filtering pipeline data{{< /nextlink >}} + {{< nextlink href="/product_analytics/analytics_explorer/search_syntax" >}}Product Analytics Explorer Search: Search user interactions and product analytics events{{< /nextlink >}} + {{< nextlink href="/quality_gates/explorer/search_syntax" >}}Quality Gates Explorer Syntax: Query quality gate rules and evaluation results{{< /nextlink >}} + {{< nextlink href="/real_user_monitoring/explorer/search_syntax" >}}RUM Explorer Search: Search user sessions, views, actions, and errors{{< /nextlink >}} + {{< nextlink href="/security/sensitive_data_scanner/scanning_rules/custom_rules" >}}Sensitive Data Scanner Custom Rules: Regex patterns and matching syntax for scanning sensitive data{{< /nextlink >}} + {{< nextlink href="/service_management/events/explorer/searching" >}}Service Management Events Search: Query and filter service management events{{< /nextlink >}} + {{< nextlink href="/logs/workspaces/sql_reference" >}}SQL Reference for Logs: SQL syntax for advanced log analysis in Workspaces{{< /nextlink >}} + {{< nextlink href="/tests/explorer/search_syntax" >}}Test Optimization Explorer Search Syntax: Search and analyze test execution data{{< /nextlink >}} +{{< /whatsnext >}} -## Next Steps +## Further Reading -* Review [Core Search Concepts](/getting_started/search/core_concepts) -* Learn [Advanced Search Techniques](/getting_started/search/advanced_techniques) -* Explore specific product documentation linked throughout this guide +{{< partial name="whats-next/whats-next.html" >}} -## Further Reading -{{< partial name="whats-next/whats-next.html" >}} +[1]: /metrics/advanced-filtering +[2]: /logs/explorer/search_syntax +[3]: /tracing/trace_explorer/query_syntax \ No newline at end of file From be36086b4cac2bd3441c48f3a8e8e38dc48d42bd Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Thu, 9 Oct 2025 15:51:24 -0400 Subject: [PATCH 05/10] Update content/en/getting_started/search/_index.md --- content/en/getting_started/search/_index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/en/getting_started/search/_index.md b/content/en/getting_started/search/_index.md index 8a89f34f391a5..042335b71f860 100644 --- a/content/en/getting_started/search/_index.md +++ b/content/en/getting_started/search/_index.md @@ -11,7 +11,6 @@ further_reading: Datadog provides powerful and flexible search capabilities across its products and features. This guide introduces the core concepts of search syntax in Datadog, helping you understand how to construct effective queries across Logs, Metrics, APM, and more. -You'll learn about shared search semantics, product-specific syntax, and advanced techniques that enhance your querying experience. Each section also includes examples and links to detailed documentation for further reference. ## Understanding Datadog search From 0b2569fcc2ac10e22fb98df3ed905e798cf6c533 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Thu, 9 Oct 2025 16:00:52 -0400 Subject: [PATCH 06/10] Add to getting started index --- content/en/getting_started/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/getting_started/_index.md b/content/en/getting_started/_index.md index 8509acb9ccce2..4b30e8a19fa4f 100644 --- a/content/en/getting_started/_index.md +++ b/content/en/getting_started/_index.md @@ -99,6 +99,7 @@ For the fastest introduction to navigating Datadog, try the [Quick Start course] {{< nextlink href="/getting_started/agent" >}}Agent: Send metrics and events from your hosts to Datadog.{{< /nextlink >}} {{< nextlink href="/getting_started/api" >}}API: Get started with the Datadog HTTP API.{{< /nextlink >}} {{< nextlink href="/getting_started/integrations" >}}Integrations: Learn how to collect metrics, traces, and logs with Datadog integrations.{{< /nextlink >}} +{{< nextlink href="/getting_started/search" >}}Search: Learn the fundamentals of searching and filtering across Datadog products.{{< /nextlink >}} {{< nextlink href="/getting_started/tagging" >}}Tags: Start tagging your metrics, logs, and traces.{{< /nextlink >}} {{< nextlink href="/getting_started/opentelemetry" >}}OpenTelemetry: Learn how to send OpenTelemetry metrics, traces, and logs to Datadog.{{< /nextlink >}} {{< nextlink href="/getting_started/learning_center" >}}Learning Center: Follow a learning path, take a self-guided class or lab, and explore the Datadog certification program.{{< /nextlink >}} From 6b97aa49b95afebaf6767be3feb255c5f67e2a93 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 10 Oct 2025 12:29:19 -0400 Subject: [PATCH 07/10] Update log example Co-authored-by: Erik Uzureau --- content/en/getting_started/search/product_specific_reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/getting_started/search/product_specific_reference.md b/content/en/getting_started/search/product_specific_reference.md index 5552084dcaf0e..611c689f75e8a 100644 --- a/content/en/getting_started/search/product_specific_reference.md +++ b/content/en/getting_started/search/product_specific_reference.md @@ -78,7 +78,7 @@ status:error "timeout" @http.status_code:[500 TO 599] # Combine multiple conditions -service:web-api AND env:production AND @duration:>1000 +service:web-api env:(production OR dev) AND @duration:>1000 # Wildcard search for specific services service:payment-* AND status:error From 3a234e23f19218be8a560ba2ee12804dab4eb016 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Tue, 14 Oct 2025 12:44:30 -0400 Subject: [PATCH 08/10] Apply suggestions from code review Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> --- content/en/getting_started/search/_index.md | 10 +++++----- .../search/product_specific_reference.md | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/en/getting_started/search/_index.md b/content/en/getting_started/search/_index.md index 042335b71f860..e0ec81d110128 100644 --- a/content/en/getting_started/search/_index.md +++ b/content/en/getting_started/search/_index.md @@ -15,14 +15,14 @@ Datadog provides powerful and flexible search capabilities across its products a ## Understanding Datadog search Datadog provides a unified way to query data across products using text-based search syntax. All data in Datadog can be explored and filtered through queries, but the syntax and behavior differ depending on the type of data you're working with. There are two primary query formats in Datadog: -- **Metric-based queries**: used in Metrics and Cloud Cost Management (CCM). -- **Event-based queries**: used across most other products, including Logs, APM, RUM, Events, and Security. +- **Metric-based queries**: Used in Metrics and Cloud Cost Management (CCM). +- **Event-based queries**: Used across most other products, including Logs, APM, RUM, Events, and Security. Although both query types let you filter and analyze data, their syntax is not interchangeable. Each follows its own structure, operators, and supported functions designed for the type of data it handles. ### Metric-Based Queries -Metric-based queries are designed to retrieve and analyze numerical time series data. They rely on tags and attributes to filter metrics and often combine functions and arithmetic operations to calculate and visualize trends over time (for example, average latency, error rate, or cost over time). +Metric-based queries are designed to retrieve and analyze numerical time series data. They rely on tags to filter metrics and often combine functions and arithmetic operations to calculate and visualize trends over time (for example, average latency, error rate, or cost over time). ### Event-Based Queries @@ -34,9 +34,9 @@ Compared to metric queries, event-based searches focus on discovering and filter Each Datadog product provides its own search syntax, tailored to the type of data it handles. The Product-Specific Search reference highlights the key capabilities and unique operators available in each product, such as log search facets, APM trace filters, or metric aggregation functions. These references help you understand where syntax differs across Datadog products. -See the index of [Product-Specific Search][1]. +Learn more in [Product-Specific Search][1]. -## Further Reading +## Further reading {{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/getting_started/search/product_specific_reference.md b/content/en/getting_started/search/product_specific_reference.md index 611c689f75e8a..16e989a072121 100644 --- a/content/en/getting_started/search/product_specific_reference.md +++ b/content/en/getting_started/search/product_specific_reference.md @@ -25,7 +25,7 @@ Metrics use a specialized metrics-based syntax for filtering and aggregating tim For more information, see [Advanced Filtering][1]. -### Key capabilties +### Key capabilities * Tag-based filtering with boolean logic (`AND`, `OR`, `NOT`) or symbolic operators (`&&`, `||`, `!`) * Wildcard matching on metric names and tag values * Aggregation by multiple tag dimensions @@ -94,7 +94,7 @@ APM and Distributed Tracing use event-based search syntax for querying spans and To learn more about querying spans and traces with service, resource, and tag filters, see [Trace Query Syntax][3]. -### Key capabilites +### Key capabilities * Query spans by service, operation, and resource name * Filter by trace-level and span-level tags * Search across distributed traces spanning multiple services @@ -136,7 +136,7 @@ service:database @db.statement:"SELECT *" @db.row_count:>1000 {{< nextlink href="/tests/explorer/search_syntax" >}}Test Optimization Explorer Search Syntax: Search and analyze test execution data{{< /nextlink >}} {{< /whatsnext >}} -## Further Reading +## Further reading {{< partial name="whats-next/whats-next.html" >}} From 19af3960e1ea62101714d580afbb57ca07a2d11f Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Tue, 14 Oct 2025 14:23:09 -0400 Subject: [PATCH 09/10] Add getting started guide to further reading --- content/en/continuous_delivery/explorer/search_syntax.md | 3 +++ .../en/continuous_integration/explorer/search_syntax.md | 3 +++ .../getting_started/search/product_specific_reference.md | 3 +-- content/en/logs/explorer/search_syntax.md | 3 +++ content/en/metrics/advanced-filtering.md | 3 +++ content/en/monitors/manage/search.md | 4 ++++ content/en/observability_pipelines/processors/filter.md | 7 +++++++ .../charts/analytics_explorer/search_syntax.md | 3 +++ content/en/quality_gates/explorer/search_syntax.md | 3 +++ content/en/real_user_monitoring/explorer/search_syntax.md | 3 +++ content/en/service_management/events/explorer/searching.md | 3 +++ content/en/tests/explorer/search_syntax.md | 3 +++ content/en/tracing/trace_explorer/query_syntax.md | 3 +++ content/en/tracing/trace_explorer/search.md | 3 +++ 14 files changed, 45 insertions(+), 2 deletions(-) diff --git a/content/en/continuous_delivery/explorer/search_syntax.md b/content/en/continuous_delivery/explorer/search_syntax.md index cbf34122c634d..0092a182391ea 100644 --- a/content/en/continuous_delivery/explorer/search_syntax.md +++ b/content/en/continuous_delivery/explorer/search_syntax.md @@ -2,6 +2,9 @@ title: CD Visibility Explorer Search Syntax description: Search all of your deployment executions. further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/continuous_delivery/explorer/facets" tag: "Documentation" text: "Learn about facets" diff --git a/content/en/continuous_integration/explorer/search_syntax.md b/content/en/continuous_integration/explorer/search_syntax.md index 017e9238da582..08f810db5257c 100644 --- a/content/en/continuous_integration/explorer/search_syntax.md +++ b/content/en/continuous_integration/explorer/search_syntax.md @@ -2,6 +2,9 @@ title: CI Visibility Explorer Search Syntax description: Learn how to search for all of your pipeline executions in the CI Visibility Explorer. further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/continuous_integration/search" tag: "Documentation" text: "Filter and group pipelines" diff --git a/content/en/getting_started/search/product_specific_reference.md b/content/en/getting_started/search/product_specific_reference.md index 16e989a072121..ae4b16b911b9d 100644 --- a/content/en/getting_started/search/product_specific_reference.md +++ b/content/en/getting_started/search/product_specific_reference.md @@ -140,7 +140,6 @@ service:database @db.statement:"SELECT *" @db.row_count:>1000 {{< partial name="whats-next/whats-next.html" >}} - [1]: /metrics/advanced-filtering [2]: /logs/explorer/search_syntax -[3]: /tracing/trace_explorer/query_syntax \ No newline at end of file +[3]: /tracing/trace_explorer/query_syntax diff --git a/content/en/logs/explorer/search_syntax.md b/content/en/logs/explorer/search_syntax.md index 999c380e34fac..3b31cb4768ba3 100644 --- a/content/en/logs/explorer/search_syntax.md +++ b/content/en/logs/explorer/search_syntax.md @@ -5,6 +5,9 @@ aliases: - /logs/search-syntax - /logs/search_syntax/ further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/logs/explorer/#visualize" tag: "Documentation" text: "Learn how to visualize logs" diff --git a/content/en/metrics/advanced-filtering.md b/content/en/metrics/advanced-filtering.md index 4266717da1085..30fc2ef5ac82f 100644 --- a/content/en/metrics/advanced-filtering.md +++ b/content/en/metrics/advanced-filtering.md @@ -2,6 +2,9 @@ title: Advanced Filtering description: Filter your data to narrow the scope of metrics returned. further_reading: + - link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/metrics/explorer/" tag: "Documentation" text: "Metrics Explorer" diff --git a/content/en/monitors/manage/search.md b/content/en/monitors/manage/search.md index d659fe626654e..278f89d06abfb 100644 --- a/content/en/monitors/manage/search.md +++ b/content/en/monitors/manage/search.md @@ -1,6 +1,10 @@ --- title: Search Monitors description: "Filter the monitor list by using the faceted search" +further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" --- To search your monitors, construct a query using the facet panel on the left and/or the search bar at the top. When you select attributes, the search bar updates with the equivalent query. Likewise, when you modify the search bar query (or write a new one), the attribute checkboxes update to reflect the change. In any case, query results update in real-time as you edit the query. **Note**: There is no *search* button to click. diff --git a/content/en/observability_pipelines/processors/filter.md b/content/en/observability_pipelines/processors/filter.md index 8c67090af5b01..06129cd39c380 100644 --- a/content/en/observability_pipelines/processors/filter.md +++ b/content/en/observability_pipelines/processors/filter.md @@ -1,6 +1,13 @@ --- title: Filter Processor disable_toc: false +further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" +- link: /logs/explorer/search_syntax/ + tag: "Documentation" + text: Log Management Search Syntax --- {{% observability_pipelines/processors/filter %}} diff --git a/content/en/product_analytics/charts/analytics_explorer/search_syntax.md b/content/en/product_analytics/charts/analytics_explorer/search_syntax.md index 55dba511cec34..e995ad888f1fd 100644 --- a/content/en/product_analytics/charts/analytics_explorer/search_syntax.md +++ b/content/en/product_analytics/charts/analytics_explorer/search_syntax.md @@ -3,6 +3,9 @@ title: Search Syntax aliases: - /product_analytics/analytics_explorer/search_syntax further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/product_analytics/analytics_explorer/" tag: "Documentation" text: "Understand your application usage at a glance" diff --git a/content/en/quality_gates/explorer/search_syntax.md b/content/en/quality_gates/explorer/search_syntax.md index 4bb66f7a4edc0..1f9e152312f2c 100644 --- a/content/en/quality_gates/explorer/search_syntax.md +++ b/content/en/quality_gates/explorer/search_syntax.md @@ -2,6 +2,9 @@ title: Quality Gates Explorer Search Syntax description: Search all of your quality gates or rule executions. further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/quality_gates/search" tag: "Documentation" text: "Filter and group quality gates" diff --git a/content/en/real_user_monitoring/explorer/search_syntax.md b/content/en/real_user_monitoring/explorer/search_syntax.md index 4d1b9144dad25..425eb69a020bb 100644 --- a/content/en/real_user_monitoring/explorer/search_syntax.md +++ b/content/en/real_user_monitoring/explorer/search_syntax.md @@ -2,6 +2,9 @@ title: Search Syntax description: "Learn RUM Explorer search syntax including terms, operators, and Boolean logic to create complex queries for event filtering." further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/real_user_monitoring/explorer/search/" tag: "Documentation" text: "Search for your events" diff --git a/content/en/service_management/events/explorer/searching.md b/content/en/service_management/events/explorer/searching.md index 3c8bc507d46cf..12b705ed076d1 100644 --- a/content/en/service_management/events/explorer/searching.md +++ b/content/en/service_management/events/explorer/searching.md @@ -1,6 +1,9 @@ --- title: Search Syntax further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "logs/explorer/search_syntax" tag: "Documentation" text: "Log Search Syntax" diff --git a/content/en/tests/explorer/search_syntax.md b/content/en/tests/explorer/search_syntax.md index 40d80bf2b348e..175c531796fc5 100644 --- a/content/en/tests/explorer/search_syntax.md +++ b/content/en/tests/explorer/search_syntax.md @@ -2,6 +2,9 @@ title: Test Optimization Explorer Search Syntax description: Learn how to search for all of your test runs in the Test Optimization Explorer. further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/tests/explorer/facets" tag: "Documentation" text: "Learn about facets" diff --git a/content/en/tracing/trace_explorer/query_syntax.md b/content/en/tracing/trace_explorer/query_syntax.md index 0acb8c6132aec..3868cb0817846 100644 --- a/content/en/tracing/trace_explorer/query_syntax.md +++ b/content/en/tracing/trace_explorer/query_syntax.md @@ -20,6 +20,9 @@ aliases: - /tracing/trace_search_and_analytics/query_syntax - /tracing/trace_explorer/trace_groups further_reading: +- link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" - link: "/tracing/trace_collection/" tag: "Documentation" text: "Learn how to setup APM tracing with your application" diff --git a/content/en/tracing/trace_explorer/search.md b/content/en/tracing/trace_explorer/search.md index 21cd175e605be..4a19598b5e5cc 100644 --- a/content/en/tracing/trace_explorer/search.md +++ b/content/en/tracing/trace_explorer/search.md @@ -5,6 +5,9 @@ further_reading: - link: 'tracing/trace_explorer/query_syntax' tag: 'Documentation' text: 'Query Syntax' + - link: "/getting_started/search/" + tag: "Documentation" + text: "Getting Started with Search in Datadog" --- ## Overview From 3fb6e0d72f07405cfb021d08c7c958d938bf6ffd Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Tue, 14 Oct 2025 14:23:09 -0400 Subject: [PATCH 10/10] Add getting started guide to further reading --- content/en/monitors/manage/search.md | 4 ++++ content/en/observability_pipelines/processors/filter.md | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/content/en/monitors/manage/search.md b/content/en/monitors/manage/search.md index 278f89d06abfb..f9e2b747fb7a5 100644 --- a/content/en/monitors/manage/search.md +++ b/content/en/monitors/manage/search.md @@ -96,6 +96,10 @@ From the default view entry in the Views panel: * **Update** your default view with the current parameters. * **Reset** your default view to Datadog's defaults for a fresh restart. +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + [1]: /monitors/status/#properties [2]: https://www.elastic.co/guide/en/elasticsearch/reference/2.4/query-dsl-query-string-query.html#query-string-syntax [3]: https://www.elastic.co/guide/en/elasticsearch/reference/2.4/query-dsl-query-string-query.html#_fuzziness diff --git a/content/en/observability_pipelines/processors/filter.md b/content/en/observability_pipelines/processors/filter.md index 06129cd39c380..ab983cabbed8d 100644 --- a/content/en/observability_pipelines/processors/filter.md +++ b/content/en/observability_pipelines/processors/filter.md @@ -12,4 +12,8 @@ further_reading: {{% observability_pipelines/processors/filter %}} -{{% observability_pipelines/processors/filter_syntax %}} \ No newline at end of file +{{% observability_pipelines/processors/filter_syntax %}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file