dd-logs
Log management - search, pipelines, archives, and cost control.
Best use case
dd-logs is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Log management - search, pipelines, archives, and cost control.
Teams using dd-logs should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/dd-logs/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How dd-logs Compares
| Feature / Agent | dd-logs | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Log management - search, pipelines, archives, and cost control.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Datadog Logs
Search, process, and archive logs with cost awareness.
## Prerequisites
Datadog Pup (dd-pup/pup) should already be installed:
```bash
go install github.com/datadog-labs/pup@latest
```
## Quick Start
```bash
pup auth login
```
## Search Logs
```bash
# Basic search
pup logs search --query="status:error" --from="1h"
# With filters
pup logs search --query="service:api status:error" --from="1h" --limit 100
# JSON output
pup logs search --query="@http.status_code:>=500" --from="1h" --json
```
### Search Syntax
| Query | Meaning |
|-------|---------|
| `error` | Full-text search |
| `status:error` | Tag equals |
| `@http.status_code:500` | Attribute equals |
| `@http.status_code:>=400` | Numeric range |
| `service:api AND env:prod` | Boolean |
| `@message:*timeout*` | Wildcard |
## Pipelines
Process logs before indexing:
```bash
# List pipelines
pup logs pipelines list
# Create pipeline (JSON)
pup logs pipelines create --json @pipeline.json
```
### Common Processors
```json
{
"name": "API Logs",
"filter": {"query": "service:api"},
"processors": [
{
"type": "grok-parser",
"name": "Parse nginx",
"source": "message",
"grok": {"match_rules": "%{IPORHOST:client_ip} %{DATA:method} %{DATA:path} %{NUMBER:status}"}
},
{
"type": "status-remapper",
"name": "Set severity",
"sources": ["level", "severity"]
},
{
"type": "attribute-remapper",
"name": "Remap user_id",
"sources": ["user_id"],
"target": "usr.id"
}
]
}
```
## ⚠️ Exclusion Filters (Cost Control)
**Index only what matters:**
```json
{
"name": "Drop debug logs",
"filter": {"query": "status:debug"},
"is_enabled": true
}
```
### High-Volume Exclusions
```bash
# Find noisiest log sources
pup logs search --query="*" --from="1h" --json | jq 'group_by(.service) | map({service: .[0].service, count: length}) | sort_by(-.count)[:10]'
```
| Exclude | Query |
|---------|-------|
| Health checks | `@http.url:"/health" OR @http.url:"/ready"` |
| Debug logs | `status:debug` |
| Static assets | `@http.url:*.css OR @http.url:*.js` |
| Heartbeats | `@message:*heartbeat*` |
## Archives
Store logs cheaply for compliance:
```bash
# List archives
pup logs archives list
# Archive config (S3 example)
{
"name": "compliance-archive",
"query": "*",
"destination": {
"type": "s3",
"bucket": "my-logs-archive",
"path": "/datadog"
},
"rehydration_tags": ["team:platform"]
}
```
### Rehydrate (Restore)
```bash
# Rehydrate archived logs
pup logs rehydrate create \
--archive-id abc123 \
--from "2024-01-01T00:00:00Z" \
--to "2024-01-02T00:00:00Z" \
--query "service:api status:error"
```
## Log-Based Metrics
Create metrics from logs (cheaper than indexing):
```bash
# Count errors per service
pup logs metrics create \
--name "api.errors.count" \
--query "service:api status:error" \
--group-by "endpoint"
```
**⚠️ Cardinality warning:** Group by bounded values only.
## Sensitive Data
### Scrubbing Rules
```json
{
"type": "hash-remapper",
"name": "Hash emails",
"sources": ["email", "@user.email"]
}
```
### Never Log
```python
# In your app - sanitize before sending
import re
def sanitize_log(message: str) -> str:
# Remove credit cards
message = re.sub(r'\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b', '[REDACTED]', message)
# Remove SSNs
message = re.sub(r'\b\d{3}-\d{2}-\d{4}\b', '[REDACTED]', message)
return message
```
## Troubleshooting
| Problem | Fix |
|---------|-----|
| Logs not appearing | Check agent, pipeline filters |
| High costs | Add exclusion filters |
| Search slow | Narrow time range, use indexes |
| Missing attributes | Check grok parser |
## References/Documentation
- [Log Search Syntax](https://docs.datadoghq.com/logs/explorer/search_syntax/)
- [Pipelines](https://docs.datadoghq.com/logs/log_configuration/pipelines/)
- [Exclusion Filters](https://docs.datadoghq.com/logs/indexes/#exclusion-filters)
- [Archives](https://docs.datadoghq.com/logs/archives/)Related Skills
android-watch-logs
Start real-time log streaming from connected Android device using adb logcat. Shows only app's log messages. Use when monitoring app behavior, debugging, or viewing Android logs.
analyzing-logs
Analyze application logs for performance insights and issue detection including slow requests, error patterns, and resource usage. Use when troubleshooting performance issues or debugging errors. Trigger with phrases like "analyze logs", "find slow requests", or "detect error patterns".
session-logs
Search and analyze your own session logs (older/parent conversations) using jq.
agentuity-cli-cloud-db-logs
Get query logs for a specific database. Requires authentication. Use for Agentuity cloud platform operations
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.
developing-frontend-apps
Frontend application development best practices. Use when building, modifying, or reviewing frontend applications, React components, UI components, client-side JavaScript/TypeScript, CSS/styling, single-page applications, or web application architecture.
developing-claude-agent-sdk-agents
Build AI agents with the Claude Agent SDK (TypeScript/Python). Covers creating agents, custom tools, hooks, subagents, MCP integration, permissions, sessions, and deployment. Use when building, reviewing, debugging, or deploying SDK-based agents. Invoke PROACTIVELY when user mentions Agent SDK, claude-agent-sdk, ClaudeSDKClient, query(), or building autonomous agents.
developing-backend-services
Backend service development best practices. Use when designing, building, or reviewing backend services, REST APIs, gRPC services, microservices, webhooks, message queues, or server-side applications regardless of language or framework.
dev_standards_skill
Development standards and architecture management skill. Enforces modular design, low coupling, clean code practices, and maintains project architecture graph for quick context understanding. Language-agnostic, works with TypeScript, Python, Go, Rust, Java, and more. Use when starting development tasks, refactoring, or analyzing project structure.
dev.shortcuts
Mandatory shortcut trigger and usage guidance. ALWAYS check if shortcut applies before responding to ANY coding or development request.
dev-workflow-planning
Structured development workflows using /brainstorm, /write-plan, and /execute-plan patterns. Transform ad-hoc conversations into systematic project execution with hypothesis-driven planning, incremental implementation, and progress tracking.
dev-swarm-tech-specs
Define technical specifications including tech stack, security, theme standards (from UX mockup), coding standards, and testing standards. Use when user asks to define tech specs, choose tech stack, or start Stage 7 after architecture.