{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://raw.githubusercontent.com/api-evangelist/datadog/refs/heads/main/json-schema/datadog-log-event-schema.json", "title": "Datadog Log Event", "description": "A log event stored in Datadog Log Management. Log events represent individual log entries collected from applications, infrastructure, cloud services, and custom sources. Each log event has a unique identifier, a timestamp, a message, and optional structured attributes extracted from the log content. Logs are indexed and searchable using Datadog's log query language and can be correlated with metrics, traces, and events for full observability.", "type": "object", "properties": { "id": { "type": "string", "description": "The unique string identifier assigned by Datadog to this log event. The ID is generated at ingestion time and can be used to retrieve a specific log event via the API or Logs Explorer." }, "type": { "type": "string", "description": "The resource type identifier for log events returned by the Datadog API (always 'log')", "enum": ["log"] }, "content": { "$ref": "#/$defs/LogContent" }, "attributes": { "$ref": "#/$defs/LogAttributes" } }, "$defs": { "LogContent": { "type": "object", "description": "The core content fields of a log event representing the primary log data as ingested and processed by Datadog. These fields are standardized across all log sources and are always present after log processing.", "properties": { "message": { "type": "string", "description": "The raw or processed log message content. This is the primary searchable text content of the log event. For structured logs, this may be the entire JSON payload or a human-readable summary extracted during log processing." }, "timestamp": { "type": "string", "format": "date-time", "description": "ISO 8601 timestamp indicating when the log event was generated by the source application or system. This is the official time of the log event, distinct from the ingestion time at which Datadog received it." }, "host": { "type": "string", "description": "The hostname or IP address of the machine that generated this log event. Used for infrastructure correlation, host maps, and filtering logs by host in the Logs Explorer." }, "service": { "type": "string", "description": "The name of the application, microservice, or system that generated this log event. Used for service-level filtering and correlation with APM traces and monitors." }, "source": { "type": "string", "description": "The technology or integration that generated this log event (e.g., nginx, python, aws.cloudtrail). Used to apply automatic log processing pipelines and categorize logs by source technology." }, "status": { "type": "string", "description": "The severity or log level of the event indicating its importance and type. Mapped from source log levels to Datadog's standardized status levels during log processing.", "enum": ["emerg", "alert", "critical", "error", "warning", "notice", "info", "debug", "ok", "trace"] }, "tags": { "type": "array", "description": "List of tags applied to this log event in key:value format. Tags are added during collection by the Datadog Agent or at ingestion time via log pipelines. Used for filtering and correlating logs across services and infrastructure.", "items": { "type": "string", "description": "A tag in key:value format (e.g., env:production, version:1.2.3)" } } } }, "LogAttributes": { "type": "object", "description": "Structured attributes extracted from the log message during log processing. Attributes are key-value pairs parsed from the log content using Datadog's log processing pipelines. Custom attributes can be extracted using Grok parsers and remappers configured for your log sources.", "properties": { "timestamp": { "type": "string", "format": "date-time", "description": "ISO 8601 timestamp of the log event as returned in the API response attributes object" }, "status": { "type": "string", "description": "The standardized Datadog log status level mapped from the original log level indicator" }, "message": { "type": "string", "description": "The processed log message content as stored in the log event attributes" }, "host": { "type": "string", "description": "The hostname associated with this log event as stored in structured attributes" }, "service": { "type": "string", "description": "The service name associated with this log event as stored in structured attributes" }, "source": { "type": "string", "description": "The source integration or technology associated with this log event" }, "tags": { "type": "array", "description": "The list of tags associated with this log event as stored in structured attributes", "items": { "type": "string" } }, "usr": { "$ref": "#/$defs/UserAttributes" }, "http": { "$ref": "#/$defs/HttpAttributes" }, "network": { "$ref": "#/$defs/NetworkAttributes" }, "logger": { "$ref": "#/$defs/LoggerAttributes" }, "error": { "$ref": "#/$defs/ErrorAttributes" } }, "additionalProperties": true }, "UserAttributes": { "type": "object", "description": "Standardized user context attributes following Datadog's standard attribute naming for user-related information extracted from log events.", "properties": { "id": { "type": "string", "description": "The unique identifier of the user who performed the action recorded in the log event" }, "name": { "type": "string", "description": "The display name or full name of the user associated with this log event" }, "email": { "type": "string", "format": "email", "description": "The email address of the user associated with this log event" }, "role": { "type": "string", "description": "The role or permission level of the user at the time the log event was generated" } } }, "HttpAttributes": { "type": "object", "description": "Standardized HTTP request and response attributes following Datadog's standard attribute naming for web access logs and HTTP instrumentation.", "properties": { "method": { "type": "string", "description": "The HTTP request method (e.g., GET, POST, PUT, DELETE, PATCH)", "enum": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "TRACE", "CONNECT"] }, "status_code": { "type": "integer", "description": "The HTTP response status code returned by the server", "minimum": 100, "maximum": 599 }, "url": { "type": "string", "description": "The full URL of the HTTP request including scheme, host, path, and query parameters" }, "url_details": { "type": "object", "description": "Parsed components of the HTTP URL for structured querying and filtering", "properties": { "host": { "type": "string", "description": "The hostname portion of the request URL" }, "port": { "type": "integer", "description": "The port number of the HTTP request" }, "path": { "type": "string", "description": "The URL path component of the request" }, "queryString": { "type": "string", "description": "The raw query string portion of the URL" }, "scheme": { "type": "string", "description": "The URL scheme (http or https)" } } }, "referer": { "type": "string", "description": "The HTTP Referer header value indicating the URL of the referring page" }, "useragent": { "type": "string", "description": "The HTTP User-Agent header value identifying the client making the request" }, "version": { "type": "string", "description": "The HTTP protocol version used for the request (e.g., HTTP/1.1, HTTP/2)" }, "bytes_written": { "type": "integer", "format": "int64", "description": "The number of bytes written in the HTTP response body" } } }, "NetworkAttributes": { "type": "object", "description": "Standardized network connection attributes following Datadog's standard attribute naming for network-level log information.", "properties": { "client": { "type": "object", "description": "Network attributes for the client side of the connection", "properties": { "ip": { "type": "string", "description": "The IP address of the client making the network request" }, "port": { "type": "integer", "description": "The source port number used by the client" }, "geoip": { "type": "object", "description": "Geolocation information derived from the client IP address", "properties": { "country": { "type": "object", "description": "Country-level geolocation data for the client IP", "properties": { "iso_code": { "type": "string", "description": "ISO 3166-1 alpha-2 country code for the client IP location" }, "name": { "type": "string", "description": "The full country name for the client IP location" } } } } } } }, "destination": { "type": "object", "description": "Network attributes for the destination side of the connection", "properties": { "ip": { "type": "string", "description": "The IP address of the destination server receiving the connection" }, "port": { "type": "integer", "description": "The destination port number on the server" } } }, "bytes_read": { "type": "integer", "format": "int64", "description": "Total bytes read from the network connection" }, "bytes_written": { "type": "integer", "format": "int64", "description": "Total bytes written to the network connection" } } }, "LoggerAttributes": { "type": "object", "description": "Attributes from the logging framework or library that generated the log event, following Datadog's standard attribute naming.", "properties": { "name": { "type": "string", "description": "The name of the logger instance or category that produced this log event (e.g., com.example.service.UserController)" }, "thread_name": { "type": "string", "description": "The name of the thread that produced this log event" }, "method_name": { "type": "string", "description": "The name of the method or function that produced this log event" }, "version": { "type": "string", "description": "The version of the logging framework or library used to generate this log event" } } }, "ErrorAttributes": { "type": "object", "description": "Standardized error attributes for log events that represent errors or exceptions, following Datadog's standard attribute naming.", "properties": { "kind": { "type": "string", "description": "The type or class of error (e.g., NullPointerException, ValueError, TypeError)" }, "message": { "type": "string", "description": "The error message describing what went wrong" }, "stack": { "type": "string", "description": "The full stack trace of the exception as a multi-line string" } } } } }