---

name: datadog-logs description: Query and filter Datadog logs from the shell using the Composio CLI. Run scoped log searches, pivot across services/environments, and export structured JSON for downstream agents instead of click-driving the Datadog UI. metadata: short-description: Datadog log filtering via the Composio CLI

Datadog Logs

Query Datadog logs through the Composio CLI so the agent can filter, pivot, and summarize without you pasting screenshots.

When to Use

• Investigating a spike, error surge, or latency regression and you want structured JSON back.
• Correlating a deploy with log volume changes across services/environments.
• Building a scheduled "what broke overnight" digest.

Prereqs

curl -fsSL https://composio.dev/install | bash
composio login
composio link datadog       # prompts for site + API/APP keys

Discover Tools

composio search "search logs" --toolkits datadog
composio search "aggregate logs" --toolkits datadog
composio tools list datadog

Commonly used slugs (confirm with --get-schema):

• DATADOG_SEARCH_LOGS
• DATADOG_AGGREGATE_LOGS
• DATADOG_LIST_ACTIVE_METRICS
• DATADOG_GET_EVENT

Filter Recipes

Errors from one service in the last 15 minutes

composio execute DATADOG_SEARCH_LOGS -d '{
  "filter": {
    "query": "service:checkout status:error env:prod",
    "from": "now-15m",
    "to": "now"
  },
  "page": { "limit": 100 },
  "sort": "-timestamp"
}'

Aggregate error count by endpoint

composio execute DATADOG_AGGREGATE_LOGS -d '{
  "filter": { "query": "service:checkout status:error", "from": "now-1h", "to": "now" },
  "group_by": [{ "facet": "@http.url_path", "limit": 20 }],
  "compute": [{ "aggregation": "count" }]
}'

Trace a single request across services

composio execute DATADOG_SEARCH_LOGS -d '{
  "filter": { "query": "@trace_id:7f3a2b1c env:prod", "from": "now-1h", "to": "now" },
  "sort": "timestamp"
}'

Save a reusable query

composio search "save log view" --toolkits datadog
composio execute DATADOG_CREATE_SAVED_VIEW -d '{
  "name": "checkout-errors-prod",
  "query": "service:checkout status:error env:prod"
}'

Pipe into Local Analysis

Datadog output is JSON on stdout — pipe to jq for quick summaries:

composio execute DATADOG_SEARCH_LOGS -d '{
  "filter": {"query":"service:api status:error","from":"now-30m","to":"now"},
  "page":{"limit":500}
}' | jq -r '.data[].attributes.message' | sort | uniq -c | sort -rn | head

Multi-Step Workflow

Save as scripts/dd-incident.ts, then composio run --file scripts/dd-incident.ts -- --service checkout:

const svc = process.argv[process.argv.indexOf("--service") + 1];

const errors = await execute("DATADOG_SEARCH_LOGS", {
  filter: { query: `service:${svc} status:error`, from: "now-1h", to: "now" },
  page: { limit: 200 }, sort: "-timestamp"
});

const topPaths = await execute("DATADOG_AGGREGATE_LOGS", {
  filter: { query: `service:${svc} status:error`, from: "now-1h", to: "now" },
  group_by: [{ facet: "@http.url_path", limit: 10 }],
  compute: [{ aggregation: "count" }]
});

console.log(JSON.stringify({ svc, sample: errors.data?.slice(0,5), topPaths }, null, 2));

Schedule a Daily Digest

Use cron (or composio dev listen for triggers) to run the workflow and forward results to Slack:

composio run --file scripts/dd-incident.ts -- --service checkout \
  | tee /tmp/digest.json

composio execute SLACK_SEND_MESSAGE -d "$(jq -n \
  --slurpfile d /tmp/digest.json \
  '{channel:"oncall", text: ($d[0] | tojson)}')"

Troubleshooting

• Empty results → confirm env: and service: tags; Datadog indexes are region-scoped — set the right site during composio link datadog.
• 403 Forbidden → the APP key lacks logs_read; regenerate with scope and re-link.
• Slow queries → narrow from/to, add a facet filter, or use DATADOG_AGGREGATE_LOGS instead of pulling raw events.
• Unknown facet → composio search "list log facets" --toolkits datadog.

Full CLI reference: docs.composio.dev/docs/cli