How to search Datadog logs with cURL

Blog Edit

This post goes over how to search Datadog logs programmatically with cURL.

Prerequisites

Datadog

Datadog API key:

# example
DATADOG_API_KEY=a1b2c3d4f5abcdef123456789abcdef1

Datadog application key:

# example
DATADOG_APP_KEY=a1b2c3d4f5abcdef123456789abcdef123456789

jq

jq to parse JSON data:

brew install jq

Script

Create script search.sh:

touch search.sh && chmod +x search.sh

Set the variables:

#!/bin/bash
DATADOG_API_KEY=<DATADOG_API_KEY>
DATADOG_APP_KEY=<DATADOG_APP_KEY>

Run the script:

./search.sh

API

Basic search between 8PM - 10PM Eastern:

data='{
  "filter": {
    "from": "2021-10-23T20:00:00-04:00",
    "to": "2021-10-23T22:00:00-04:00",
    "query": "*"
  }
}'

response=$(curl -L -X POST "https://api.datadoghq.com/api/v2/logs/events/search" \
  -H "Content-Type: application/json" \
  -H "DD-API-KEY: $DATADOG_API_KEY" \
  -H "DD-APPLICATION-KEY: $DATADOG_APP_KEY" --data-raw "$data")

echo $response | jq .

Time

Query for 500 errors in the past hour:

curl -L -X POST "https://api.datadoghq.com/api/v2/logs/events/search" \
  -H "Content-Type: application/json" \
  -H "DD-API-KEY: $DATADOG_API_KEY" \
  -H "DD-APPLICATION-KEY: $DATADOG_APP_KEY" --data-raw '{
  "filter": {
    "from": "now",
    "to": "now-1h",
    "query": "@http.status_code:500"
  }
}'

Limit

Retrieve the maximum log limit of 1000 with page.limit:

response=$(curl -L -X POST "https://api.datadoghq.com/api/v2/logs/events/search" \
  -H "Content-Type: application/json" \
  -H "DD-API-KEY: $DATADOG_API_KEY" \
  -H "DD-APPLICATION-KEY: $DATADOG_APP_KEY" --data-raw '{
  "filter": {
    "from": "now",
    "to": "now-2d",
    "query": "*"
  },
  "page": {
    "limit": 1000
  }
}')

echo $response | jq .

Resend with page.cursor to see the next page of logs:

cursor=$(echo $response | jq -r .meta.page.after)
data='{
  "filter": {
    "from": "now",
    "to": "now-2d",
    "query": "*"
  },
  "page": {
    "cursor": "{{cursor}}",
    "limit": 1000
  }
}'
data=$(echo $data | sed "s/{{cursor}}/$cursor/")

curl -L -X POST "https://api.datadoghq.com/api/v2/logs/events/search" \
  -H "Content-Type: application/json" \
  -H "DD-API-KEY: $DATADOG_API_KEY" \
  -H "DD-APPLICATION-KEY: $DATADOG_APP_KEY" \
  --data-raw "$data")

Please support this site and join our Discord!