Back to MCP Servers

Datadog

MCP server providing comprehensive Datadog observability access for AI assistants. Features grep-like log search, APM trace filtering with duration/status/error queries, smart sampling modes for token efficiency, and cross-correlation between logs, traces, and metrics.

monitoringai
By TANTIOPE
43Updated 3 days agoTypeScriptApache-2.0

Installation

npx -y datadog-mcp-server

Configuration

{
  "mcpServers": {
    "datadog-mcp-server": {
      "command": "npx",
      "args": ["-y", "datadog-mcp-server"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes

Datadog MCP Server

Quality gate CI/Release npm License Coverage

DISCLAIMER: This is a community-maintained project and is not officially affiliated with, endorsed by, or supported by Datadog, Inc. This MCP server utilizes the Datadog API but is developed independently.

MCP server providing AI assistants with full Datadog observability access. Features grep-like log search, APM trace filtering with duration/status/error queries, smart sampling modes for token efficiency, and cross-correlation between logs, traces, and metrics. Supports both stdio (local) and http (remote/Kubernetes) transports.

Quick Start

Minimal Claude Desktop / VS Code / Cursor config — just the two required keys:

{
  "mcpServers": {
    "datadog": {
      "command": "npx",
      "args": ["-y", "datadog-mcp"],
      "env": {
        "DD_API_KEY": "your-api-key",
        "DD_APP_KEY": "your-app-key"
      }
    }
  }
}

With optional tuning (EU site, custom default limits, longer log windows):

{
  "mcpServers": {
    "datadog": {
      "command": "npx",
      "args": ["-y", "datadog-mcp"],
      "env": {
        "DD_API_KEY": "your-api-key",
        "DD_APP_KEY": "your-app-key",
        "DD_SITE": "datadoghq.eu",
        "MCP_DEFAULT_LIMIT": "50",
        "MCP_DEFAULT_LOG_LINES": "200",
        "MCP_DEFAULT_METRIC_POINTS": "1000",
        "MCP_DEFAULT_TIME_RANGE": "24"
      }
    }
  }
}

To run as an HTTP server (e.g. inside a container or Kubernetes pod), add transport variables to the same env block:

"env": {
  "DD_API_KEY": "your-api-key",
  "DD_APP_KEY": "your-app-key",
  "MCP_TRANSPORT": "http",
  "MCP_PORT": "3000",
  "MCP_HOST": "0.0.0.0"
}

Configuration

Required environment variables

DD_API_KEY=your-api-key
DD_APP_KEY=your-app-key

Optional environment variables

DD_SITE=datadoghq.com  # Default. Use datadoghq.eu for EU, etc.

# Limit defaults (fallbacks when the AI doesn't specify)
MCP_DEFAULT_LIMIT=50              # General tools default limit
MCP_DEFAULT_LOG_LINES=200         # Logs tool default limit
MCP_DEFAULT_METRIC_POINTS=1000    # Metrics timeseries data points
MCP_DEFAULT_TIME_RANGE=24         # Default time range in hours

# Transport (alternative to CLI flags — useful in Kubernetes)
MCP_TRANSPORT=stdio               # stdio | http
MCP_PORT=3000                     # HTTP port
MCP_HOST=0.0.0.0                  # HTTP host

Optional flags

--site=datadoghq.com     # Datadog site (overrides DD_SITE)
--transport=stdio|http   # Transport mode (default: stdio)
--port=3000              # HTTP port when using http transport
--host=0.0.0.0           # HTTP host when using http transport
--read-only              # Block all write operations
--disable-tools=synthetics,rum,security    # Comma-separated list of tools to disable

Transports

TransportWhen to useEndpoints
stdio (default)Local MCP clients — Claude Desktop, Cursor, VS Coden/a (process stdin/stdout)
httpRemote / container / KubernetesPOST /mcp · GET /mcp (SSE) · DELETE /mcp · GET /health

Select with --transport=http or MCP_TRANSPORT=http.

Deployment

Docker

{
  "mcpServers": {
    "datadog": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "DD_API_KEY",
        "-e", "DD_APP_KEY",
        "-e", "DD_SITE",
        "ghcr.io/tantiope/datadog-mcp"
      ],
      "env": {
        "DD_API_KEY": "your-api-key",
        "DD_APP_KEY": "your-app-key",
        "DD_SITE": "datadoghq.com"
      }
    }
  }
}

Kubernetes

Use environment variables — not container args — for transport configuration:

env:
  - name: DD_API_KEY
    value: "your-api-key"
  - name: DD_APP_KEY
    value: "your-app-key"
  - name: MCP_TRANSPORT
    value: "http"
  - name: MCP_PORT
    value: "3000"
  - name: MCP_HOST
    value: "0.0.0.0"

Note: Kubernetes args: replaces the entire Dockerfile CMD, causing Node.js to receive the flags instead of your application. Environment variables avoid this issue.

Tools

ToolActionCategoryDescriptionRequired Scopes
monitorslistAlertingList monitors with optional filtersmonitors_read
monitorsgetAlertingGet monitor by IDmonitors_read
monitorssearchAlertingSearch monitors by querymonitors_read
monitorscreateAlertingCreate a new monitor; config is validated against a typed schema covering documented options (notifyNoData, renotifyInterval, thresholds, …) — unknown keys surface in warnings. Pass dry_run: true to validate without creating (uses /api/v1/monitor/validate, allowed in read-only mode).monitors_write
monitorsupdateAlertingUpdate an existing monitor; same validated schema as create; partial configs accepted; validation errors short-circuit before any HTTP call as EINVALID_MONITOR_CONFIG:monitors_write
monitorspreviewAlertingRender a monitor template (inline message or by monitor_id/id) with optional context of variables and conditionals. Returns {rendered, variablesUsed, variablesMissing, conditionalsResolved}. Supports Datadog Mustache subset: variable substitution + six documented conditionals (is_alert, is_warning, is_no_data, is_recovery, is_alert_to_warning, is_warning_to_alert); {{#each}}/partials throw EUNSUPPORTED_TEMPLATE_SYNTAX. Read-only.monitors_read
monitorstest_notificationAlertingKnown limitation: returns ENOT_SUPPORTED — Datadog has no public REST endpoint for triggering a test notification. Documentation pointer in response.n/a
monitorsdeleteAlertingDelete a monitormonitors_write
monitorsmuteAlertingMute a monitormonitors_write
monitorsunmuteAlertingUnmute a monitormonitors_write
monitorstopAlertingTop N monitors by alert frequency with real monitor names and context breakdown. WARNING: total_count includes renotifies/re-evaluations (Datadog emits a renotify event every renotify_interval minutes while Alert). For real fires use action=history.monitors_read
monitorshistoryAlertingCount and list real state transitions for one monitor over a time window. Filters by transitionType (default ["alert","alert recovery"] — fires+recoveries, excludes renotifies) and optional group. Returns {transitions: [...], count, meta} where count is the number of real transitions (e.g. for one always-Alert burn-rate monitor over 7d: 98 raw events vs 38 real transitions).monitors_read, events_read
dashboardslistVisualizationList all dashboardsdashboards_read
dashboardsgetVisualizationGet dashboard by IDdashboards_read
dashboardscreateVisualizationCreate a new dashboarddashboards_write
dashboardsupdateVisualizationUpdate a dashboarddashboards_write
dashboardsdeleteVisualizationDelete a dashboarddashboards_write
logssearchLogsSearch logs with query syntax and filterslogs_read_data, logs_read_index_data
logsaggregateLogsAggregate log data with groupBylogs_read_data
logs_pipelineslist, getLogs ConfigInspect log processing pipelines and their processorslogs_read_config
logs_pipelinescreate, update, delete, reorderLogs ConfigAuthor pipelines and processor chainslogs_write_config
logs_pipelinesget_orderLogs ConfigRead pipeline evaluation orderlogs_read_config
logs_indexeslist, getLogs ConfigInspect indexes (filter, retention, Flex tier, exclusion filters); create/delete are UI-only per Datadog and not exposedlogs_read_config
logs_indexesupdate, reorderLogs ConfigUpdate index filter/retention/quota and reorder evaluationlogs_write_config
logs_indexesget_orderLogs ConfigRead index evaluation orderlogs_read_config
logs_archiveslist, getLogs ConfigInspect log archives (S3 / GCS / Azure destinations); per-provider credential fields are forwarded unchangedlogs_read_archives
logs_archivescreate, update, delete, reorderLogs ConfigManage archive destinations; destination.type validated against `s3gcs
logs_archivesget_orderLogs ConfigRead archive evaluation orderlogs_read_archives
metricsqueryMetricsQuery timeseries data. Response meta includes rollupRequested (parsed from rollup(method, seconds), with methodInferred flag), rollupEffective (interval derived from returned pointlist intervals + deduped intervalsObserved for multi-series), and rollupOverridden: boolean so callers can detect when Datadog silently downsampled.metrics_read, timeseries_query
metricssearchMetricsSearch for metrics by namemetrics_read
metricslistMetricsList active metricsmetrics_read
metricsmetadataMetricsGet metric metadatametrics_read
tracessearchAPMSearch spans with filtersapm_read
tracesaggregateAPMAggregate trace dataapm_read
tracesservicesAPMList APM servicesapm_service_catalog_read
eventslistEventsList eventsevents_read
eventsgetEventsGet event by IDevents_read
eventscreateEventsCreate an eventevents_read
eventssearchEventsSearch events with v2 API and cursor pagination. Optional transitionType filter (e.g. ["alert","alert recovery"]) restricts to monitor state-transition events — without it, source:alert includes renotifies. For monitor-specific fires use monitors action=history. Optional timezone adds *Local ISO 8601 siblings to every timestamp. Zero-result responses include a diagnostics array hinting at the cause (UNINDEXED_TAG_PREFIX, NARROW_TIME_RANGE, RESTRICTIVE_SOURCE_FILTER).events_read
eventshistogramEventsServer-side bucketing of events by hour_of_day, day_of_week, or day_of_month in an IANA timezone (DST-safe via Intl.DateTimeFormat). Accepts the same transitionType filter as search so monitor histograms can exclude renotifies. Cursor-paginates the underlying search; cap at limits.maxEventsForHistogram (default 5000, MCP_MAX_EVENTS_HISTOGRAM env var). When the cap is hit, returns bucketCountIncomplete: true and nextCursor for continuation.events_read
eventsaggregateEventsClient-side aggregation by monitor_name, source, etc.events_read
eventstopEventsTop N event groups by count with generic groupBy support (deployments, configs, alerts, etc.). Groups without context tags are included as "no_context"events_read
eventstimeseriesEventsTime-bucketed alert trends (hourly/daily counts)events_read
eventsincidentsEventsDeduplicate alerts into incidents with Trigge

View source on GitHub