If you experience unexpected behavior with Datadog Logs, there are a few common issues you can investigate and this guide may help resolve issues quickly. If you continue to have trouble, reach out to Datadog support for further assistance.
Missing logs - logs daily quota reached
You have not made any changes to your log configuration, but the Log Explorer shows that logs are missing for today. This may be happening because you have reached your daily quota.
See Set daily quota for more information on setting up, updating or removing the quota.
Missing logs - timestamp outside of the ingestion window
Logs with a timestamp further than 18 hours in the past are dropped at intake.
Fix the issue at the source by checking which service
and source
are impacted with the datadog.estimated_usage.logs.drop_count
metric.
Unable to parse timestamp key from JSON logs
If you are unable to convert the timestamp of JSON logs to a recognized date format before they are ingested into Datadog, follow these steps to convert and map the timestamps using Datadog’s arithmetic processor and log date remapper:
Navigate to the Pipelines page.
In Pipelines, hover over Preprocessing for JSON logs, and click the pencil icon.
Remove timestamp
from the reserved attribute mapping list. The attribute is not being parsed as the official timestamp of the log during preprocessing.
Set up the arithmetic processor so that the formula multiples your timestamp by 1000 to convert it to milliseconds. The formula’s result is a new attribute.
Set up the log date remapper to use the new attribute as the official timestamp.
Go to Log Explorer to see new JSON logs with their mapped timestamp.
Truncated logs
Logs above 1MB are truncated. Fix the issue at the source by checking which service
and source
are impacted with the datadog.estimated_usage.logs.truncated_count
and datadog.estimated_usage.logs.truncated_bytes
metrics.
Truncated log messages
There is an additional truncation in fields that applies only to indexed logs: the value is truncated to 75 KiB for the message field and 25 KiB for non-message fields. Datadog stores the full text, and it remains visible in regular list queries in the Log Explorer. However, the truncated version is displayed when performing a grouped query, such as when grouping logs by that truncated field or performing similar operations that display that specific field.