DQL Starter Pack

7 Queries We Run
on Every DPS Audit.

These are the seven Dynatrace Query Language queries that detect six of the eight anti-patterns we hunt: bucket retention waste, DEBUG flowing into production, non-prod environments in production tier buckets, host-mode misalignment, broken service attribution, and noisy host groups.

Validated on a carrier-scale tenant (~2B spans/day, 1.986 hosts, 18+ TB/day log ingestion). Each query returns actionable data within seconds, runs at minimal scan cost when used as scoped here, and feeds directly into the audit's PDF report and remediation backlog.
U = Universal (works on any tenant with OneAgent or basic OTel). S = Scaffolding (adapt fields to your tenant). All queries below are U.
01U

Top noisy log sources

fetch logs, from:now()-1h
| summarize cnt=count(), by:{log.source}
| sort cnt desc
| limit 20
ReadsThe 20 files / streams ingesting the most logs in the last hour. Typical Pareto: top 10-15% concentrates 60%+ of volume.
Audit useDirect input for the report's "ingest hit-list" section. Cheapest first signal of where to compress.
02U

Loglevel mix in 24h

fetch logs, from:now()-24h
| summarize count(), by:{loglevel}
| sort `count()` desc
ReadsLoglevel distribution over 24h. If DEBUG > 5M / 24h in production, anti-pattern #2 confirmed. If NONE >50%, parsing rules are failing silently.
Audit usePercentages drop straight into the PDF report. Often produces the first six-figure savings line.
03U

Volume by bucket

fetch logs, from:now()-1h
| summarize records=count(), by:{dt.system.bucket}
| sort records desc
ReadsHow many records hit each bucket. Cross-reference with Q4 to identify high-cost buckets where retention dwarfs query patterns.
Audit useBase for the per-bucket cost calculation when joined with retention data.
04U

Bucket inventory with retention

fetch dt.system.buckets
| fields name, dt.system.table, retention_days,
         records, estimated_uncompressed_bytes
| sort estimated_uncompressed_bytes desc
ReadsFull bucket inventory with volume and retention. Anti-pattern #1 (retention 4-12× what's actually queried) shows up here in seconds.
Audit useThe single most valuable query of the audit. Every oversized bucket becomes a remediation backlog item with a euro figure attached.
05U

K8s attribution check

fetch logs, from:now()-2h
| summarize cnt=count(), by:{k8s.namespace.name, k8s.cluster.name}
| sort cnt desc
ReadsDistribution of logs by namespace and cluster. If most rows show null namespace or null cluster, service attribution is broken (anti-pattern #5).
Audit usePrerequisite for chargeback and any per-team policy. Without attribution, every other governance lever fails downstream.
06U

Top noisy host groups

fetch logs, from:now()-1h, scanLimitGBytes:50
| summarize cnt=count(), by:{dt.host_group.id}
| sort cnt desc
| limit 15
ReadsWhich host groups dominate ingestion. Identifies clusters or workload owners pumping volume disproportionate to business value.
Audit useInput for anti-pattern #4 (Full-Stack vs Infra-Only host mode review). Often surfaces 10-35% host-bill recovery.
07U

DEBUG in production by workload

fetch logs, from:now()-1h, scanLimitGBytes:50
| filter loglevel == "DEBUG"
| summarize cnt=count(), by:{k8s.namespace.name, log.source}
| sort cnt desc
ReadsWhich specific workload leaves DEBUG open in production. Each row is a service where one OpenPipeline filter cuts the line cleanly.
Audit useActionable list for the remediation backlog. Typical impact: 20-40% reduction on default_logs ingest with zero dashboard impact.

This is what week 1 of every audit looks like.

Run these seven queries, cross them with the bucket inventory, and within hours you have a defensible euro figure for the remediation backlog. The audit packages the analysis, the remediation steps, the DQL library extension, and a 3x savings guarantee.

See audit packages See the 8 anti-patterns