Set limits on query usage

  • Latest Dynatrace
  • Tutorial
  • 5-min read
  • Published Sep 03, 2025

This page describes the Dynatrace workflow for applying daily quotas for log query consumption to users.

You will learn how to set up a workflow to check, each minute, whether a user has exceeded their allocated daily query quota. All steps in this workflow are fully customizable to your needs.

The default daily quota is 10 TB, equivalent to 35 USD of query volume at the rate card list price.

Steps

This workflow checks every minute whether a user has exceeded its allocated query quota per day.

If the quota is exceeded

  1. The user is added to the "Quota exceeded" group and therefore cannot execute further log queries.
  2. The user is sent an email notification that they have exceeded their daily quota of log queries.
  3. A business event with the event type “log.quota.exceeded” is ingested, which has the user’s email address on it.

This can be used for auditing which users are hitting the quota limit. It’s also being used to determine whether a user has already been locked for the day.

A Dynatrace account administrator can subsequently unlock the user again by removing the “Quota exceeded” group again. The workflow will not lock the user anymore for this day. At midnight UTC time, the workflow will automatically remove all users from the “Quota exceeded” group again, so that they can start fresh on the next day.

  1. Go to Account Management > Identity & access management > Policy Management.

  2. Create a new policy called "Deny logs (quota exceeded)." Set the following Policy statement:

    DENY storage:logs:read;

  3. Create a new policy called "Quota exceeded check." Set the following Policy statement:

    //Basic permissions to run workflows
    ALLOW environment:roles:viewer;
    ALLOW automation:workflows:read;
    ALLOW app-engine:functions:run;
    ALLOW app-engine:apps:run;
    //Allow to read billing usage data
    ALLOW storage:bucket-definitions:read;
    ALLOW storage:system:read WHERE storage:event.kind = "BILLING_USAGE_EVENT";
    //Allow to read whether the Quota exceeded event was sent before
    ALLOW storage:bizevents:read WHERE storage:event.type = "log.quota.exceeded";
    //Allow to write a Quota exceeded event
    ALLOW storage:events:write;
    //Allow to read users
    ALLOW iam:users:read, iam:groups:read;
    //for sending “Quota exceeded” emails
    ALLOW email:emails:send;

  1. Go to Account Management > Identity & access management > Group Management.

  2. Create a new group.

    a. Set the Group name to Quota exceeded. b. Select Permissions to add a new permission. c. Add the "Deny logs (quota exceeded)" permission that you created in the previous step. d. Set the Permission Type to POLICY. e. Set the Scope to Account.

  1. Go to Account Management > Identity & access management > Service Users.

  2. Create a new service user.

    a. Set the Service user name to Quota Exceeded Check User. b. Select Permissions to add a new permission. c. Add the “Quota exceeded check” policy to the user. d. Set the Permission Type to POLICY. e. Set the Scope to Account. d. Copy the Service user email and save it somewhere safe.

For more information about OAuth clients, see OAuth clients.

  1. Go to Account Management > Identity & Access Management > OAuth clients.

  2. #TODO SOMEWHERE SELECT SOMETHING TO Create a new OAuth client.

    a. In subject user email, select a user that has the Account manager permission. Note that you can't select the service user here. b. In Permissions, select Account > View users and groups and Account > Manage users and groups. c. #TODO SOMEWHERE SELECT SOMETHING to Create the client.

  3. Copy the Client ID, Client secret, and Dynatrace account URN and save them somewhere safe.

For more information about Credential Vault, see Credential vault.

  1. Go to Account Management > Credential Vault.
  2. Set Credential name to Quota check OAuth.
  3. Set Username to last part of the account URN from the OAuth client (i.e., the characters after urn:dtaccount:)
  4. Set Password to the client secret.
  5. Set the Allow access without app context toggle to true.
  6. In Users with access, enter the service user email.

  1. Create a new text file and copy the contents of the code block below.

    example code
    wftpl_log_quota_check.yaml

  2. In Workflows Workflows, create a new workflow.

  3. Select and set Actor to Quote Exceeded Check User SERVICE_IDENTITY.

  4. Select to save the workflow.

How to customize

You can customize the limits by modifying the DQL query. The full query is shown below, and sections below indicate how to change the query to achieve certain use cases.

/*
Get all users that consumed > 10 TB of log query today
and whom haven't been locked out before today
*/
fetch dt.system.events, from: -1d@d
| filter event.kind == "BILLING_USAGE_EVENT"
| filter event.type == "Log Management & Analytics - Query"
| filter event.version == "1.0"
| dedup event.id
| summarize {
  query_volume = sum(billed_bytes)
    }, by:{user.email}
| filter query_volume > 10 * 1024 * 1024 * 1024 * 1024 //Modify `10 TB` to the desired quota
| filterOut user.email in [
  fetch bizevents, from: -1d@d
  | filter event.type=="log.quota.exceeded"
  | fields user.email
]
| fields email = user.email

Change the log quota

By default the quota per user is 10 TB = 35 USD at list price.

Modify the filter query_volume > 10 * 1024 * 1024 * 1024 * 1024. Change the value of 10 to the desired quota that can be scanned, in TB.

Excluding users from the quota check

You can exclude certain users from the quota check by changing the above query.

Check on a weekly or monthly basis

The workflow can be customized to also take weekly or monthly quotas into account.

Changing the time of quota reset

  1. In Workflows Workflows, open the Workflow and select the quota_reset_at_midnight action.

  2. Under Conditions, modify And custom condition was met.

  3. You can modify the timezone and the specific time.

    a. To modify the timezone, change UTC to the desired timezone abbreviation. b. To modify the time, change 00:00 to the desired time, in hours and minutes.

You can customize this to a different point in time and different timezone. If you adjust this, make sure you do one of the following:

  • Adjust the workflow’s timezone (in the scheduling settings).
  • Adjust the query accordingly to take the time of the last quota reset into account.

Adding other notification methods

By default, the workflow sends an e-mail to the user who is exceeding the quota. Ideas for customization here might be:

  • Send a user an email already when they have reached 5 TB of quota.
  • Use a different method than e-mail, e.g. Slack.
  • Send notifications about quota exceeding users to Dynatrace admins as well.

Quotas for other Dynatrace capabilities

Similar to log management & analytics, this workflow can work for any querying capability in Dynatrace (such as Events powered by Grail – Query or Traces powered by Grail – Query). Adjust the query above and the policy to also include those capabilities.

For ingest-based capabilities (like Traces powered by Grail – Ingest, Log powered by Grail – Ingest) a similar workflow could be created which automatically deactivates API tokens once a certain quota is reached.

Related tags
Dynatrace SignetDynatrace Platform SubscriptionDynatrace Platform