MCP Datadog Server

create_monitor

Create Datadog monitors for anomaly detection, APM, logs, metrics, SLOs, and other alert types using customizable query parameters and threshold settings.

Instructions

Create a monitor using the specified options.

Monitor Types

The type of monitor chosen from:

anomaly: query alert
APM: query alert or trace-analytics alert
composite: composite
custom: service check
forecast: query alert
host: service check
integration: query alert or service check
live process: process alert
logs: log alert
metric: query alert
network: service check
outlier: query alert
process: service check
rum: rum alert
SLO: slo alert
watchdog: event-v2 alert
event-v2: event-v2 alert
audit: audit alert
error-tracking: error-tracking alert
database-monitoring: database-monitoring alert
network-performance: network-performance alert
cloud cost: cost alert

Notes:

Synthetic monitors are created through the Synthetics API. See the Synthetics API documentation for more information.
Log monitors require an unscoped App Key.

Query Types

Metric Alert Query

Example: time_aggr(time_window):space_aggr:metric{tags} [by {key}] operator #

time_aggr: avg, sum, max, min, change, or pct_change
time_window: last_#m (with # between 1 and 10080 depending on the monitor type) or last_#h(with # between 1 and 168 depending on the monitor type) or last_1d, or last_1w
space_aggr: avg, sum, min, or max
tags: one or more tags (comma-separated), or *
key: a 'key' in key:value tag syntax; defines a separate alert for each tag in the group (multi-alert)
operator: <, <=, >, >=, ==, or !=
#: an integer or decimal number used to set the threshold

If you are using the _change_ or _pct_change_ time aggregator, instead use change_aggr(time_aggr(time_window), timeshift):space_aggr:metric{tags} [by {key}] operator # with:

change_aggr change, pct_change
time_aggr avg, sum, max, min Learn more
time_window last_#m (between 1 and 2880 depending on the monitor type), last_#h (between 1 and 48 depending on the monitor type), or last_#d (1 or 2)
timeshift #m_ago (5, 10, 15, or 30), #h_ago (1, 2, or 4), or 1d_ago

Use this to create an outlier monitor using the following query: avg(last_30m):outliers(avg:system.cpu.user{role:es-events-data} by {host}, 'dbscan', 7) > 0

Service Check Query

Example: "check".over(tags).last(count).by(group).count_by_status()

check name of the check, for example datadog.agent.up
tags one or more quoted tags (comma-separated), or "*". for example: .over("env:prod", "role:db"); over cannot be blank.
count must be at greater than or equal to your max threshold (defined in the options). It is limited to 100. For example, if you've specified to notify on 1 critical, 3 ok, and 2 warn statuses, count should be at least 3.
group must be specified for check monitors. Per-check grouping is already explicitly known for some service checks. For example, Postgres integration monitors are tagged by db, host, and port, and Network monitors by host, instance, and url. See Service Checks documentation for more information.

Event Alert Query

Note: The Event Alert Query has been replaced by the Event V2 Alert Query. For more information, see the Event Migration guide.

Event V2 Alert Query

Example: events(query).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
rollup_method The stats roll-up method - supports count, avg and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

Process Alert Query

Example: processes(search).over(tags).rollup('count').last(timeframe) operator #

search free text search string for querying processes. Matching processes match results on the Live Processes page.
tags one or more tags (comma-separated)
timeframe the timeframe to roll up the counts. Examples: 10m, 4h. Supported timeframes: s, m, h and d
operator <, <=, >, >=, ==, or !=
# an integer or decimal number used to set the threshold

Logs Alert Query

Example: logs(query).index(index_name).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
index_name For multi-index organizations, the log index in which the request is performed.
rollup_method The stats roll-up method - supports count, avg and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

Composite Query

Example: 12345 && 67890, where 12345 and 67890 are the IDs of non-composite monitors

name [required, default = dynamic, based on query]: The name of the alert.
message [required, default = dynamic, based on query]: A message to include with notifications for this monitor. Email notifications can be sent to specific users by using the same '@username' notation as events.
tags [optional, default = empty list]: A list of tags to associate with your monitor. When getting all monitor details via the API, use the monitor_tags argument to filter results by these tags. It is only available via the API and isn't visible or editable in the Datadog UI.

SLO Alert Query

Example: error_budget("slo_id").over("time_window") operator #

slo_id: The alphanumeric SLO ID of the SLO you are configuring the alert for.
time_window: The time window of the SLO target you wish to alert on. Valid options: 7d, 30d, 90d.
operator: >= or >

Audit Alert Query

Example: audits(query).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
rollup_method The stats roll-up method - supports count, avg and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

CI Pipelines Alert Query

Example: ci-pipelines(query).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
rollup_method The stats roll-up method - supports count, avg, and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

CI Tests Alert Query

Example: ci-tests(query).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
rollup_method The stats roll-up method - supports count, avg, and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

Error Tracking Alert Query

"New issue" example: error-tracking(query).source(issue_source).new().rollup(rollup_method[, measure]).by(group_by).last(time_window) operator # "High impact issue" example: error-tracking(query).source(issue_source).impact().rollup(rollup_method[, measure]).by(group_by).last(time_window) operator #

query The search query - following the Log search syntax.
issue_source The issue source - supports all, browser, mobile and backend and defaults to all if omitted.
rollup_method The stats roll-up method - supports count, avg, and cardinality and defaults to count if omitted.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
group by Comma-separated list of attributes to group by - should contain at least issue.id.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

Database Monitoring Alert Query

Example: database-monitoring(query).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
rollup_method The stats roll-up method - supports count, avg, and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

Network Performance Alert Query

Example: network-performance(query).rollup(rollup_method[, measure]).last(time_window) operator #

query The search query - following the Log search syntax.
rollup_method The stats roll-up method - supports count, avg, and cardinality.
measure For avg and cardinality rollup_method - specify the measure or the facet name you want to use.
time_window #m (between 1 and 2880), #h (between 1 and 48).
operator <, <=, >, >=, ==, or !=.
# an integer or decimal number used to set the threshold.

Cost Alert Query

Example: formula(query).timeframe_type(time_window).function(parameter) operator #

query The search query - following the Log search syntax.
timeframe_type The timeframe type to evaluate the cost - for forecast supports current - for change, anomaly, threshold supports last
time_window - supports daily roll-up e.g. 7d
function - [optional, defaults to threshold monitor if omitted] supports change, anomaly, forecast
parameter Specify the parameter of the type
- for change:
  - supports relative, absolute
  - [optional] supports #, where # is an integer or decimal number used to set the threshold
- for anomaly:
  - supports direction=both, direction=above, direction=below
  - [optional] supports threshold=#, where # is an integer or decimal number used to set the threshold
operator
- for threshold supports <, <=, >, >=, ==, or !=
- for change supports >, <
- for anomaly supports >=
- for forecast supports >
# an integer or decimal number used to set the threshold.

Input Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Tool Definition Quality

A3.8/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It describes the creation action and includes important notes about synthetic monitors and log monitor requirements, which adds useful context. However, it doesn't mention other behavioral aspects like required permissions, rate limits, error handling, or what the response looks like (since there's no output schema). The description doesn't contradict any annotations (none exist).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness2/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is extremely long and poorly structured for an AI agent. While the initial sentence is clear, the bulk consists of detailed documentation about monitor types and query syntax that belongs in external documentation rather than a tool description. This violates front-loading principles and includes excessive technical detail that doesn't efficiently help an agent select and invoke the tool.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of monitor creation and the absence of both annotations and output schema, the description provides substantial technical detail about monitor types and queries. However, it lacks information about authentication requirements, error conditions, response format, and other operational aspects. While it covers the 'what' comprehensively, it misses important 'how' and 'what happens after' context needed for complete understanding.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 0 parameters with 100% description coverage, so the baseline is 4. The description compensates by providing extensive semantic context about monitor types and query formats, which effectively documents the expected input structure despite the empty schema. This adds significant value beyond what the schema provides, explaining how to construct valid monitor configurations.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description starts with a clear statement of purpose: 'Create a monitor using the specified options.' This explicitly states the verb ('Create') and resource ('monitor'), distinguishing it from sibling tools like 'update_monitor', 'delete_monitor', or 'list_monitors'. The detailed breakdown of monitor types and query formats further clarifies what kind of monitor creation is supported.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides clear context for when to use this tool by listing all supported monitor types and their corresponding query formats. It explicitly notes that 'Synthetic monitors are created through the Synthetics API' and 'Log monitors require an unscoped App Key', offering specific prerequisites. However, it doesn't explicitly contrast when to use this tool versus alternatives like 'create_monitor_v1' or other sibling creation tools.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ClaudioLazaro/mcp-datadog-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server