Navigate to Logs > Configuration > Pipelines in the Datadog UI or use the API at '/api/v1/logs/config/pipelines' to list and manage pipelines
POST to '/api/v1/logs/config/pipelines' with a JSON body containing 'name', 'is_enabled': true, 'filter' (query string to match logs), and 'processors' array
Add a Grok Parser processor in the processors array with 'type': 'grok-parser', 'source': 'message', and 'grok': {'support_rules': '', 'match_rules': 'rule_name %{pattern}'} to extract structured fields
Chain additional processors such as 'date-remapper' (to set the official log date), 'service-remapper', 'status-remapper', and 'attribute-remapper' to normalize fields to Datadog reserved attributes
Enable the pipeline, send test logs, and verify parsed attributes appear in the Log Explorer facet panel; use the pipeline's 'Test' feature in the UI to validate Grok rules before deploying
Known gotchas
Pipeline filters use the same query syntax as Log Explorer but are evaluated at ingestion time; an overly broad filter routes unintended logs through the pipeline's processors
Grok patterns are applied in order and only the first matching rule is used; unreachable rules below a catch-all pattern are silently ignored without warning
Remapping a reserved attribute (like 'status') to a non-standard value can break log-level coloring and alerting; ensure remapped values match Datadog's expected status strings
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp