Indexes

By default, a BYOC (Bring Your Own Cloud) Logs cluster stores all logs in a single index with a single retention policy. With multiple indexes, you can segment logs by defining filter queries and assigning a different retention period to each index. For example, you can retain audit logs for 1 year while keeping debug logs for only 3 days.

To view and manage your BYOC Logs indexes, navigate to the BYOC Logs page in Datadog. Select a cluster and click View Indexes to access the index configuration.

Indexes filters

When a log is ingested, BYOC Logs evaluates each index’s filter from top to bottom and routes the log to the first matching index. This means index order matters:

• Place indexes with more specific filters above indexes with broader filters. For example, source:security env:production should appear above source:security.
• A catch-all index with a * filter at the bottom ensures that no logs are dropped.
• A log matches at most one index.

You can reorder indexes at any time by dragging rows or using the Move to action.

Retention per index

Each index has its own retention period, which determines how long logs are stored before automatic deletion.

Searching across indexes

To query logs stored in BYOC Logs, select one or more BYOC Logs indexes in the Log Explorer. You can select a specific index to narrow your search, or select all indexes in a cluster to search across them. From the index configuration page, use View in Log Explorer to open a filtered view for a given index.

For more information, see Search BYOC Logs.

Further reading

Request a personalized demo