{"id":"feb44458-8fdb-4786-a9ce-fe87430e5e4d","shortId":"uSGU2t","kind":"skill","title":"dt-obs-logs","tagline":">-","description":"# Log Analysis Skill\n\nQuery, filter, and analyze Dynatrace log data using DQL for troubleshooting and monitoring.\n\n## What This Skill Covers\n\n- Fetching and filtering logs by severity, content, and entity\n- Searching log messages using pattern matching\n- Calculating error rates and statistics\n- Analyzing log patterns and trends\n- Grouping and aggregating log data by dimensions\n\n> **Cross-source join required:** If the query must combine logs with host attributes\n> (OS type, hostname, IP address, cloud provider) → also read\n> `dt-dql-essentials/references/smartscape-topology-navigation.md` before writing the query.\n\n---\n\n## Use Cases\nUse this skill when users want to:\n- Find specific log entries (e.g., \"show me error logs from the last hour\")\n- Filter logs by severity, process group, or content\n- Search logs for specific keywords or phrases\n- Calculate error rates or log statistics\n- Identify common error messages or patterns\n- Analyze log trends over time\n- Troubleshoot issues using log data\n\n## Key Concepts\n\n### Log Data Model\n- **timestamp**: When the log entry was created\n- **content**: The log message text\n- **status**: Log level (ERROR, FATAL, WARN, INFO, etc.)\n- **dt.process_group.id**: Associated process group entity\n- **dt.process_group.detected_name**: Resolves process group IDs to human-readable names\n\n### Query Patterns\n- **fetch logs**: Primary command for log data access\n- **Time ranges**: Use `from:now() - <duration>` for time windows\n- **Filtering**: Apply severity, content, and entity filters\n- **Aggregation**: Group and summarize log data\n- **Pattern Detection**: Use `matchesPhrase()` and `contains()` for content search\n\n### Common Operations\n- Severity filtering (single or multiple levels)\n- Content search (simple and full-text)\n- Entity-based filtering (process groups)\n- Time-series analysis (bucketing, sorting)\n- Error rate calculation\n- Pattern analysis (exceptions, timeouts, etc.)\n\n## Core Workflows\n\n### 1. Log Searching\nFind specific log entries by time, severity, and content.\n\n**Typical steps**:\n1. Define time range\n2. Filter by severity (optional)\n3. Search content for keywords\n4. Select relevant fields\n5. Sort and limit results\n\n**Example**:\n```dql\nfetch logs, from:now() - 1h\n| filter status == \"ERROR\"\n| fields timestamp, content, process_group = dt.process_group.detected_name\n| sort timestamp desc\n| limit 100\n```\n\n### 2. Log Filtering\nNarrow down logs using multiple criteria (severity, entity, content).\n\n**Typical steps**:\n1. Fetch logs with time range\n2. Apply severity filters\n3. Filter by entity (process_group)\n4. Apply content filters\n5. Format and sort output\n\n**Example**:\n```dql\nfetch logs, from:now() - 2h\n| filter in(status, {\"ERROR\", \"FATAL\", \"WARN\"})\n| summarize count(), by: {dt.process_group.id, dt.process_group.detected_name}\n| fieldsAdd process_group = dt.process_group.detected_name\n| sort `count()` desc\n```\n\n### 3. Pattern Analysis\nIdentify patterns, trends, and anomalies in log data.\n\n**Typical steps**:\n1. Fetch logs with time range\n2. Add pattern detection fields\n3. Aggregate by entity or time\n4. Calculate statistics and ratios\n5. Sort by frequency or rate\n\n**Example**:\n```dql\nfetch logs, from:now() - 2h\n| filter status == \"ERROR\"\n| fieldsAdd\n    has_exception = if(matchesPhrase(content, \"exception\"), true, else: false),\n    has_timeout = if(matchesPhrase(content, \"timeout\"), true, else: false)\n| summarize\n    count(),\n    exception_count = countIf(has_exception == true),\n    timeout_count = countIf(has_timeout == true),\n    by: {process_group = dt.process_group.detected_name}\n```\n\n## Key Functions\n\n### Filtering\n- `filter status == \"ERROR\"` - Filter by status level\n- `in(status, {\"ERROR\", \"FATAL\", \"WARN\"})` - Multi-status filter (use curly braces for literal sets)\n- `contains(content, \"keyword\")` - Simple substring search\n- `matchesPhrase(content, \"exact phrase\")` - Full-text phrase search\n\n### Entity Operations\n- `dt.process_group.detected_name` - Get human-readable process group name\n- `filter process_group == \"service-name\"` - Filter by specific entity\n\n### Aggregation\n- `count()` - Count all log entries\n- `countIf(condition)` - Conditional count\n- `by: {dimension}` - Group by entity or time bucket\n- `bin(timestamp, 5m)` - Time bucketing for trends\n\n### Field Operations\n- `fields timestamp, content, status` - Select specific fields\n- `fieldsAdd name = expression` - Add computed fields\n- `if(condition, true_value, else: false_value)` - Conditional logic\n\n## Common Patterns\n\n### Content Search\nSimple substring search:\n```dql\nfetch logs, from:now() - 1h\n| filter contains(content, \"database\")\n| fields timestamp, content, status\n```\n\nFull-text phrase search:\n```dql\nfetch logs, from:now() - 1h\n| filter matchesPhrase(content, \"connection timeout\")\n| fields timestamp, content, process_group = dt.process_group.detected_name\n```\n\n### Error Rate Calculation\nCalculate error rates over time:\n```dql\nfetch logs, from:now() - 2h\n| summarize\n    total_logs = count(),\n    error_logs = countIf(status == \"ERROR\"),\n    by: {time_bucket = bin(timestamp, 5m)}\n| fieldsAdd error_rate = (error_logs * 100.0) / total_logs\n| sort time_bucket asc\n```\n\n### Top Error Messages\nFind most common errors:\n```dql\nfetch logs, from:now() - 24h\n| filter status == \"ERROR\"\n| summarize error_count = count(), by: {content}\n| sort error_count desc\n| limit 20\n```\n\n### Process Group-Specific Logs\nFilter logs by process group:\n```dql\nfetch logs, from:now() - 1h\n| fieldsAdd process_group = dt.process_group.detected_name\n| filter process_group == \"payment-service\"\n| filter status == \"ERROR\"\n| fields timestamp, content, status\n| sort timestamp desc\n```\n\n### Structured / JSON Log Parsing\nMany applications emit JSON-formatted log lines. Use `parse` to extract fields instead of dumping raw content:\n\n```dql\nfetch logs, from:now() - 1h\n| filter status == \"ERROR\"\n| parse content, \"JSON:log\"\n| fieldsAdd level = log[level], message = log[msg], error = log[error]\n| fields timestamp, level, message, error\n| sort timestamp desc\n| limit 50\n```\n\nAggregate by a parsed field:\n```dql\nfetch logs, from:now() - 4h\n| filter status == \"ERROR\"\n| parse content, \"JSON:log\"\n| fieldsAdd message = log[msg]\n| summarize error_count = count(), by: {message}\n| sort error_count desc\n| limit 20\n```\n\n**Notes:**\n- `parse content, \"JSON:log\"` creates a record field `log` — access nested values with `log[key]`\n- Filter logs with `contains()` **before** `parse` to reduce parsing overhead\n- Works with any JSON-structured field, not just `content`\n\n## Best Practices\n\n1. **Always specify time ranges** - Use `from:now() - <duration>` to limit data\n2. **Apply filters early** - Filter by severity and entity before aggregation\n3. **Use appropriate search methods** - `contains()` for simple, `matchesPhrase()` for exact\n4. **Limit results** - Add `| limit 100` to prevent overwhelming output\n5. **Sort meaningfully** - Sort by timestamp for recent logs, by count for top errors\n6. **Name entities** - Use `dt.process_group.detected_name` or `getNodeName()` for human-readable output\n7. **Use time buckets for trends** - `bin(timestamp, 5m)` for time-series analysis\n\n## Integration Points\n\n- **Entity model**: Uses `dt.process_group.id` for service correlation\n- **Time series**: Supports temporal analysis with `bin()` and time ranges\n- **Content search**: Full-text search capabilities via `matchesPhrase()`\n- **Aggregation**: Statistical analysis using `summarize` and conditional functions\n\n## Limitations & Notes\n\n- Log availability depends on OneAgent configuration and log ingestion\n- Full-text search (`matchesPhrase`) may have performance implications on large datasets\n- Entity names require proper OneAgent monitoring for resolution\n- Time ranges should be reasonable (avoid unbounded queries)\n\n## Troubleshooting\n\n| Problem | Cause | Solution |\n|---------|-------|----------|\n| No logs returned | Missing time range or too narrow | Widen `from:` window; verify log ingestion is active |\n| `getNodeName()` returns null | OneAgent not monitoring the entity or entity not yet resolved | Verify OneAgent is deployed and entity is discovered; use `dt.process_group.detected_name` as a reliable alternative |\n| `matchesPhrase()` slow on large data | Full-text search without pre-filtering | Add `filter status == \"ERROR\"` before `matchesPhrase()` |\n| Wrong field name `log.level` | Common mistake | Use `loglevel` (no dot) for severity; see dt-dql-essentials |\n| Empty `content` field | Log line was empty or not ingested | Check log source configuration in OneAgent |\n\n## Related Skills\n\n- **dt-dql-essentials** - Core DQL syntax and query structure for log queries\n- **dt-obs-tracing** - Correlate logs with distributed traces using trace IDs\n- **dt-obs-problems** - Correlate logs with DAVIS-detected problems","tags":["obs","logs","dynatrace","for","agent-skills","ai-agents","claude-code","devops","dql","mcp","observability"],"capabilities":["skill","source-dynatrace","skill-dt-obs-logs","topic-agent-skills","topic-ai-agents","topic-claude-code","topic-devops","topic-dql","topic-dynatrace","topic-mcp","topic-observability"],"categories":["dynatrace-for-ai"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/Dynatrace/dynatrace-for-ai/dt-obs-logs","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add Dynatrace/dynatrace-for-ai","source_repo":"https://github.com/Dynatrace/dynatrace-for-ai","install_from":"skills.sh"}},"qualityScore":"0.489","qualityRationale":"deterministic score 0.49 from registry signals: · indexed on github topic:agent-skills · 78 github stars · SKILL.md body (8,794 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:56:48.315Z","embedding":null,"createdAt":"2026-05-11T18:57:14.424Z","updatedAt":"2026-05-18T18:56:48.315Z","lastSeenAt":"2026-05-18T18:56:48.315Z","tsv":"'/references/smartscape-topology-navigation.md':84 '1':266,280,339,404,867 '100':324,905 '100.0':668 '1h':309,602,621,718,767 '2':284,325,345,410,878 '20':702,828 '24h':687 '2h':370,438,647 '3':289,349,391,415,889 '4':294,355,421,900 '4h':805 '5':298,359,426,910 '50':794 '5m':561,662,945 '6':924 '7':937 'access':198,839 'activ':1046 'add':411,578,903,1088 'address':75 'aggreg':52,214,416,541,795,888,979 'also':78 'altern':1074 'alway':868 'analysi':6,253,260,393,950,964,981 'analyz':11,45,138 'anomali':398 'appli':208,346,356,879 'applic':745 'appropri':891 'asc':674 'associ':174 'attribut':70 'avail':990 'avoid':1023 'base':246 'best':865 'bin':559,660,943,966 'brace':501 'bucket':254,558,563,659,673,940 'calcul':40,126,258,422,636,637 'capabl':976 'case':90 'caus':1028 'check':1121 'cloud':76 'combin':66 'command':194 'common':133,229,590,680,1098 'comput':579 'concept':149 'condit':548,549,582,588,985 'configur':994,1124 'connect':625 'contain':225,505,604,848,894 'content':31,118,160,210,227,237,277,291,315,336,357,447,456,506,512,570,592,605,609,624,629,696,735,761,772,810,831,864,970,1112 'core':264,1133 'correl':959,1146,1158 'count':378,389,462,464,470,542,543,550,651,693,694,699,819,820,825,920 'countif':465,471,547,654 'cover':24 'creat':159,834 'criteria':333 'cross':58 'cross-sourc':57 'cur':500 'data':14,54,147,151,197,219,401,877,1079 'databas':606 'dataset':1009 'davi':1162 'davis-detect':1161 'defin':281 'depend':991 'deploy':1063 'desc':322,390,700,739,792,826 'detect':221,413,1163 'dimens':56,552 'discov':1067 'distribut':1149 'dot':1103 'dql':16,82,304,365,433,597,616,642,682,713,762,800,1109,1131,1134 'dt':2,81,1108,1130,1143,1155 'dt-dql-essenti':80,1107,1129 'dt-obs-log':1 'dt-obs-problem':1154 'dt-obs-trac':1142 'dt.process_group.detected':178,318,381,386,478,522,632,722,928,1069 'dt.process_group.id':173,380,956 'dump':759 'dynatrac':12 'e.g':102 'earli':881 'els':450,459,585 'emit':746 'empti':1111,1117 'entiti':33,177,212,245,335,352,418,520,540,555,886,926,953,1010,1054,1056,1065 'entity-bas':244 'entri':101,157,272,546 'error':41,105,127,134,168,256,312,374,441,485,492,634,638,652,656,664,666,676,681,690,692,698,732,770,782,784,789,808,818,824,923,1091 'essenti':83,1110,1132 'etc':172,263 'exact':513,899 'exampl':303,364,432 'except':261,444,448,463,467 'express':577 'extract':755 'fals':451,460,586 'fatal':169,375,493 'fetch':25,191,305,340,366,405,434,598,617,643,683,714,763,801 'field':297,313,414,566,568,574,580,607,627,733,756,785,799,837,861,1095,1113 'fieldsadd':383,442,575,663,719,775,813 'filter':9,27,111,207,213,232,247,285,310,327,348,350,358,371,439,482,483,486,498,531,537,603,622,688,708,724,730,768,806,845,880,882,1087,1089 'find':98,269,678 'format':360,749 'frequenc':429 'full':242,516,612,973,999,1081 'full-text':241,515,611,972,998,1080 'function':481,986 'get':524 'getnodenam':931,1047 'group':50,116,176,182,215,249,317,354,385,477,529,533,553,631,705,712,721,726 'group-specif':704 'host':69 'hostnam':73 'hour':110 'human':186,526,934 'human-read':185,525,933 'id':183,1153 'identifi':132,394 'implic':1006 'info':171 'ingest':997,1044,1120 'instead':757 'integr':951 'ip':74 'issu':144 'join':60 'json':741,748,773,811,832,859 'json-format':747 'json-structur':858 'key':148,480,844 'keyword':123,293,507 'larg':1008,1078 'last':109 'level':167,236,489,776,778,787 'limit':301,323,701,793,827,876,901,904,987 'line':751,1115 'liter':503 'log':4,5,13,28,35,46,53,67,100,106,112,120,130,139,146,150,156,162,166,192,196,218,267,271,306,326,330,341,367,400,406,435,545,599,618,644,650,653,667,670,684,707,709,715,742,750,764,774,777,780,783,802,812,815,833,838,843,846,918,989,996,1031,1043,1114,1122,1140,1147,1159 'log.level':1097 'logic':589 'loglevel':1101 'mani':744 'match':39 'matchesphras':223,446,455,511,623,897,978,1002,1075,1093 'may':1003 'meaning':912 'messag':36,135,163,677,779,788,814,822 'method':893 'miss':1033 'mistak':1099 'model':152,954 'monitor':20,1015,1052 'msg':781,816 'multi':496 'multi-status':495 'multipl':235,332 'must':65 'name':179,188,319,382,387,479,523,530,536,576,633,723,925,929,1011,1070,1096 'narrow':328,1038 'nest':840 'note':829,988 'null':1049 'ob':3,1144,1156 'oneag':993,1014,1050,1061,1126 'oper':230,521,567 'option':288 'os':71 'output':363,909,936 'overhead':854 'overwhelm':908 'pars':743,753,771,798,809,830,850,853 'pattern':38,47,137,190,220,259,392,395,412,591 'payment':728 'payment-servic':727 'perform':1005 'phrase':125,514,518,614 'point':952 'practic':866 'pre':1086 'pre-filt':1085 'prevent':907 'primari':193 'problem':1027,1157,1164 'process':115,175,181,248,316,353,384,476,528,532,630,703,711,720,725 'proper':1013 'provid':77 'queri':8,64,88,189,1025,1137,1141 'rang':200,283,344,409,871,969,1019,1035 'rate':42,128,257,431,635,639,665 'ratio':425 'raw':760 'read':79 'readabl':187,527,935 'reason':1022 'recent':917 'record':836 'reduc':852 'relat':1127 'relev':296 'reliabl':1073 'requir':61,1012 'resolut':1017 'resolv':180,1059 'result':302,902 'return':1032,1048 'search':34,119,228,238,268,290,510,519,593,596,615,892,971,975,1001,1083 'see':1106 'select':295,572 'seri':252,949,961 'servic':535,729,958 'service-nam':534 'set':504 'sever':30,114,209,231,275,287,334,347,884,1105 'show':103 'simpl':239,508,594,896 'singl':233 'skill':7,23,93,1128 'skill-dt-obs-logs' 'slow':1076 'solut':1029 'sort':255,299,320,362,388,427,671,697,737,790,823,911,913 'sourc':59,1123 'source-dynatrace' 'specif':99,122,270,539,573,706 'specifi':869 'statist':44,131,423,980 'status':165,311,373,440,484,488,491,497,571,610,655,689,731,736,769,807,1090 'step':279,338,403 'structur':740,860,1138 'substr':509,595 'summar':217,377,461,648,691,817,983 'support':962 'syntax':1135 'tempor':963 'text':164,243,517,613,974,1000,1082 'time':142,199,205,251,274,282,343,408,420,557,562,641,658,672,870,939,948,960,968,1018,1034 'time-seri':250,947 'timeout':262,453,457,469,473,626 'timestamp':153,314,321,560,569,608,628,661,734,738,786,791,915,944 'top':675,922 'topic-agent-skills' 'topic-ai-agents' 'topic-claude-code' 'topic-devops' 'topic-dql' 'topic-dynatrace' 'topic-mcp' 'topic-observability' 'total':649,669 'trace':1145,1150,1152 'trend':49,140,396,565,942 'troubleshoot':18,143,1026 'true':449,458,468,474,583 'type':72 'typic':278,337,402 'unbound':1024 'use':15,37,89,91,145,201,222,331,499,752,872,890,927,938,955,982,1068,1100,1151 'user':95 'valu':584,587,841 'verifi':1042,1060 'via':977 'want':96 'warn':170,376,494 'widen':1039 'window':206,1041 'without':1084 'work':855 'workflow':265 'write':86 'wrong':1094 'yet':1058","prices":[{"id":"1f5f419b-cba4-4e66-aff3-c5c6846e3f44","listingId":"feb44458-8fdb-4786-a9ce-fe87430e5e4d","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"Dynatrace","category":"dynatrace-for-ai","install_from":"skills.sh"},"createdAt":"2026-05-11T18:57:14.424Z"}],"sources":[{"listingId":"feb44458-8fdb-4786-a9ce-fe87430e5e4d","source":"github","sourceId":"Dynatrace/dynatrace-for-ai/dt-obs-logs","sourceUrl":"https://github.com/Dynatrace/dynatrace-for-ai/tree/main/skills/dt-obs-logs","isPrimary":false,"firstSeenAt":"2026-05-11T18:57:14.424Z","lastSeenAt":"2026-05-18T18:56:48.315Z"}],"details":{"listingId":"feb44458-8fdb-4786-a9ce-fe87430e5e4d","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"Dynatrace","slug":"dt-obs-logs","github":{"repo":"Dynatrace/dynatrace-for-ai","stars":78,"topics":["agent-skills","ai-agents","claude-code","devops","dql","dynatrace","mcp","observability"],"license":"apache-2.0","html_url":"https://github.com/Dynatrace/dynatrace-for-ai","pushed_at":"2026-05-15T16:06:09Z","description":"Skills, prompts, and instructions for building AI agents on top of Dynatrace production context","skill_md_sha":"742c88c233324d7477eedf66de4733a538453186","skill_md_path":"skills/dt-obs-logs/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/Dynatrace/dynatrace-for-ai/tree/main/skills/dt-obs-logs"},"layout":"multi","source":"github","category":"dynatrace-for-ai","frontmatter":{"name":"dt-obs-logs","license":"Apache-2.0","description":">-"},"skills_sh_url":"https://skills.sh/Dynatrace/dynatrace-for-ai/dt-obs-logs"},"updatedAt":"2026-05-18T18:56:48.315Z"}}