Datadog Logs

Query Datadog logs through the Composio CLI so the agent can filter, pivot, and summarize without you pasting screenshots.

When to Use

• Investigating a spike, error surge, or latency regression and you want structured JSON back.
• Correlating a deploy with log volume changes across services/environments.
• Building a scheduled "what broke overnight" digest.

Prereqs

curl -fsSL https://composio.dev/install | bash
composio login
composio link datadog       # prompts for site + API/APP keys

Discover Tools

composio search "search logs" --toolkits datadog
composio search "aggregate logs" --toolkits datadog
composio tools list datadog

Commonly used slugs (confirm with --get-schema):

• DATADOG_SEARCH_LOGS
• DATADOG_AGGREGATE_LOGS
• DATADOG_LIST_ACTIVE_METRICS
• DATADOG_GET_EVENT

Filter Recipes

Errors from one service in the last 15 minutes

composio execute DATADOG_SEARCH_LOGS -d '{
  "filter": {
    "query": "service:checkout status:error env:prod",
    "from": "now-15m",
    "to": "now"
  },
  "page": { "limit": 100 },
  "sort": "-timestamp"
}'

Aggregate error count by endpoint

composio execute DATADOG_AGGREGATE_LOGS -d '{
  "filter": { "query": "service:checkout status:error", "from": "now-1h", "to": "now" },
  "group_by": [{ "facet": "@http.url_path", "limit": 20 }],
  "compute": [{ "aggregation": "count" }]
}'

Trace a single request across services

composio execute DATADOG_SEARCH_LOGS -d '{
  "filter": { "query": "@trace_id:7f3a2b1c env:prod", "from": "now-1h", "to": "now" },
  "sort": "timestamp"
}'

Save a reusable query

composio search "save log view" --toolkits datadog
composio execute DATADOG_CREATE_SAVED_VIEW -d '{
  "name": "checkout-errors-prod",
  "query": "service:checkout status:error env:prod"
}'

Pipe into Local Analysis

Datadog output is JSON on stdout — pipe to jq for quick summaries:

composio execute DATADOG_SEARCH_LOGS -d '{
  "filter": {"query":"service:api status:error","from":"now-30m","to":"now"},
  "page":{"limit":500}
}' | jq -r '.data[].attributes.message' | sort | uniq -c | sort -rn | head

Multi-Step Workflow

Save as scripts/dd-incident.ts, then composio run --file scripts/dd-incident.ts -- --service checkout:

const svc = process.argv[process.argv.indexOf("--service") + 1];

const errors = await execute("DATADOG_SEARCH_LOGS", {
  filter: { query: `service:${svc} status:error`, from: "now-1h", to: "now" },
  page: { limit: 200 }, sort: "-timestamp"
});

const topPaths = await execute("DATADOG_AGGREGATE_LOGS", {
  filter: { query: `service:${svc} status:error`, from: "now-1h", to: "now" },
  group_by: [{ facet: "@http.url_path", limit: 10 }],
  compute: [{ aggregation: "count" }]
});

console.log(JSON.stringify({ svc, sample: errors.data?.slice(0,5), topPaths }, null, 2));

Schedule a Daily Digest

Use cron (or composio dev listen for triggers) to run the workflow and forward results to Slack:

composio run --file scripts/dd-incident.ts -- --service checkout \
  | tee /tmp/digest.json

composio execute SLACK_SEND_MESSAGE -d "$(jq -n \
  --slurpfile d /tmp/digest.json \
  '{channel:"oncall", text: ($d[0] | tojson)}')"

Troubleshooting

• Empty results → confirm env: and service: tags; Datadog indexes are region-scoped — set the right site during composio link datadog.
• 403 Forbidden → the APP key lacks logs_read; regenerate with scope and re-link.
• Slow queries → narrow from/to, add a facet filter, or use DATADOG_AGGREGATE_LOGS instead of pulling raw events.
• Unknown facet → composio search "list log facets" --toolkits datadog.

Full CLI reference: docs.composio.dev/docs/cli