ryanmaclean/macos-datadog-noise-pipeline-gist.md

## macos-datadog-noise-pipeline-gist.md

      
    Raw
  

              macos-datadog-noise-pipeline-gist.md
            
          
    macOS + Datadog: Noise Classification Pipeline (OpenClaw-friendly)

Use a Datadog Logs Pipeline to classify recurring low-signal macOS Unified Log noise into @noise_class.
Then exclude in dashboards/monitors with:
-@noise_class:*

Pipeline Filter

source:macos.unifiedlog

Category Processor

Target attribute:
noise_class

Suggested categories:

runningboard_identity_chatter

service:runningboardd @message:"Two equal instances have unequal identities"


token_generation_inference_chatter

service:TGOnDeviceInferenceProviderService (@message:"Unable to find node for token" OR @message:"Attempting to release asset")


imagent_coredata_xpc_chatter

service:imagent @message:"CoreData: Unable to create token NSXPCConnection"


findmy_cfprefs_sandbox_fault

service:findmybeaconingd @message:"CFPrefsPlistSource"


apsd_entitlement_noise

service:apsd (@message:"ultra constrained topics" OR @message:"lacks APSConnectionInitiateEntitlement")


akd_attestation_noise

service:akd @message:"Attestation map does not contain the cert attestation"


cloudd_ckoperation_fallback_noise

service:cloudd @message:"Unknown proxied class, falling back"


API Example

curl -sS -X POST "https://api.${DD_SITE}/api/v1/logs/config/pipelines" \
  -H "DD-API-KEY: ${DD_API_KEY}" \
  -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
  -H "Content-Type: application/json" \
  --data @pipeline.json
To update, use PUT /api/v1/logs/config/pipelines/{pipeline_id} with the same payload.
Optional Cost Control

After validation, add index exclusion filter:
source:macos.unifiedlog @noise_class:*

Do this only after confirming you are not suppressing actionable host/security events.
No results found