Dynatrace MCP Server

🛠️ MAINTENANCE MODE

Please note, that this repository is currently in Maintenance Mode. We will continue fixing/patching issues when they come up.

Recommended Actions

🚀 Try Dynatrace-for-Ai and dtctl (recommended for local development use cases like VS Code, IntelliJ, Claude Code, Cursor and alike)

Try out our new Remote Dynatrace MCP Server! Now available - no local setup required, connect instantly to your Dynatrace environment from any MCP-compatible client. See our migration guide for a comparison and step-by-step instructions. This setup is recommended when connecting another Agent (e.g., Atlassian Rovo, GitHub Coding Agent and alike) to Dynatrace.

The local Dynatrace MCP server allows AI Assistants to interact with the Dynatrace observability platform, bringing real-time observability data directly into your development workflow.

Note: This product is not officially supported by Dynatrace.

If you need help, please contact us via GitHub Issues if you have feature requests, questions, or need help.

https://github.com/user-attachments/assets/25c05db1-8e09-4a7f-add2-ed486ffd4b5a

Prerequisites

• Node.js v24 or newer is required to run the Dynatrace MCP Server.

Quickstart

You can add this MCP server to your MCP Client like VSCode, Claude, Cursor, Amazon Q, Windsurf, ChatGPT, or Github Copilot via the command is npx -y @dynatrace-oss/dynatrace-mcp-server (type: stdio). For more details, please refer to the configuration section below.

Furthermore, you need to configure the URL to a Dynatrace environment:

• DT_ENVIRONMENT (string, e.g., https://abc12345.apps.dynatrace.com) - URL to your Dynatrace Platform (do not use Dynatrace classic URLs like abc12345.live.dynatrace.com)

Authentication will be handled via Authorization Code Flow in your browser, you don't need to define a Platform Token nor an OAuth Client to get started. After the initial authentication, your token is securely stored in the OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service) and reused on subsequent server starts, so the browser only opens once per token lifetime.

If you are running in a headless/container environment where the OS keychain is unavailable, set DT_MCP_TOKEN_STORAGE=file to persist tokens in ~/.config/dynatrace-mcp/ instead.

Once you are done, we recommend looking into example prompts, like Get all details of the entity 'my-service' or Show me error logs. Please mind that these prompts lead to executing DQL statements which may incur costs in accordance to your licence.

VSCode

{
  "servers": {
    "npx-dynatrace-mcp-server": {
      "command": "npx",
      "args": ["-y", "@dynatrace-oss/dynatrace-mcp-server@latest"],
      "env": {
        "DT_ENVIRONMENT": "https://abc12345.apps.dynatrace.com"
      }
    }
  }
}

Architecture

Use cases

• Real-time observability - Fetch production-level data for early detection and proactive monitoring
• Contextual debugging - Fix issues with full context from monitored exceptions, logs, and anomalies
• Security insights - Get detailed vulnerability analysis and security problem tracking
• Natural language queries - Use AI-powered DQL generation and explanation
• Multi-phase incident investigation - Systematic 4-phase approach with automated impact assessment
• Advanced transaction analysis - Precise root cause identification with file/line-level accuracy
• Cross-data source correlation - Connect problems → spans → logs with trace ID correlation
• DevOps automation - Deployment health gates with automated promotion/rollback logic
• Security compliance monitoring - Multi-cloud compliance assessment with evidence-based investigation

Capabilities

• Observability & Problem Management (e.g., list_problems, list_vulnerabilities, list_exceptions, get_kubernetes_events)
• Querying Data from Grail (e.g., execute_dql, verify_dql, generate_dql_from_natural_language, explain_dql_in_natural_language)
• Entity Discovery (e.g., find_entity_by_name)
• Dynatrace Intelligence (e.g., chat_with_davis_copilot, list_davis_analyzers, execute_davis_analyzer)
• Automation & Notifications (e.g., send_slack_message, send_email, send_event)
• Share results (e.g., create_dynatrace_notebook)

Costs

Important: While this local MCP server is provided for free, using certain capabilities to access data in Dynatrace Grail may incur additional costs based on your Dynatrace consumption model. This affects execute_dql tool and other capabilities that query Dynatrace Grail storage, and costs depend on the volume (GB scanned).

Before using this MCP server extensively, please:

1. Review your current Dynatrace consumption model and pricing
2. Understand the cost implications of the specific data you plan to query (logs, events, metrics) - see Dynatrace Pricing and Rate Card
3. Start with smaller timeframes (e.g., 12h-24h) and make use of buckets to reduce the cost impact
4. Set an appropriate DT_GRAIL_QUERY_BUDGET_GB environment variable (default: 1000 GB) to control and monitor your Grail query consumption

Grail Budget Tracking:

The MCP server includes built-in budget tracking for Grail queries to help you monitor and control costs:

• Set DT_GRAIL_QUERY_BUDGET_GB (default: 1000 GB) to define your session budget limit
• The server tracks bytes scanned across all Grail queries in the current session
• You'll receive warnings when approaching 80% of your budget
• Budget exceeded alerts help prevent unexpected high consumption
• Budget resets when you restart the MCP server session

To understand costs that occured:

Execute the following DQL statement in a notebook to see how much bytes have been queried from Grail (Logs, Events, etc...):

fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT" and contains(client.client_context, "dynatrace-mcp")
| sort timestamp desc
| fields timestamp, query_id, query_string, scanned_bytes, table, bucket, user.id, user.email, client.client_context
| maketimeSeries sum(scanned_bytes), by: { user.email, user.id, table }

AI-Powered Assistance

• Natural Language to DQL - Convert plain English queries to Dynatrace Query Language
• DQL Explanation - Get plain English explanations of complex DQL queries
• AI Chat Assistant - Get contextual help and guidance for Dynatrace questions

Configuration

You can add this MCP server (using STDIO) to your MCP Client like VS Code, Claude, Cursor, Amazon Q Developer CLI, Windsurf Github Copilot via the package @dynatrace-oss/dynatrace-mcp-server.

We recommend to always set it up for your current workspace instead of using it globally.

VS Code

{
  "servers": {
    "npx-dynatrace-mcp-server": {
      "command": "npx",
      "args": ["-y", "@dynatrace-oss/dynatrace-mcp-server@latest"],
      "env": {
        "DT_ENVIRONMENT": "https://abc12345.apps.dynatrace.com"
      }
    }
  }
}

Claude Desktop

{
  "mcpServers": {
    "dynatrace-mcp-server": {
      "command": "npx",
      "args": ["-y", "@dynatrace-oss/dynatrace-mcp-server@latest"],
      "env": {
        "DT_ENVIRONMENT": "https://abc12345.apps.dynatrace.com"
      }
    }
  }
}

Amazon Q Developer CLI

The Amazon Q Developer CLI provides an interactive chat experience directly in your terminal. You can ask questions, get help with AWS services, troubleshoot issues, and generate code snippets without leaving your command line environment.

{
  "mcpServers": {
    "dynatrace-mcp-server": {
      "command": "npx",
      "args": ["-y", "@dynatrace-oss/dynatrace-mcp-server@latest"],
      "env": {
        "DT_ENVIRONMENT": "https://abc12345.apps.dynatrace.com"
      }
    }
  }
}

This configuration should be stored in <your-repo>/.amazonq/mcp.json.

Amazon Kiro

The Amazon Kiro is an agentic IDE that helps you do your best work with features such as specs, steering, and hooks.

{
  "mcpServers": {
    "dynatrace-mcp-server": {
      "command": "npx",
      "args": ["-y", "@dynatrace-oss/dynatrace-mcp-server@latest"],
      "env": {
        "DT_ENVIRONMENT": "https://abc12345.apps.dynatrace.com"
      }
    }
  }
}

This configuration should be stored in <your-repo>/.kiro/settings/mcp.json.

Google Gemini CLI

The Google Gemini CLI is Google's official command-line AI assistant that supports MCP server integration. You can add the Dynatrace MCP server using either the built-in management commands or manual configuration.

Using gemini CLI directly (recommended):

gemini extensions install https://github.com/dynatrace-oss/dynatrace-mcp
export DT_PLATFORM_TOKEN=... # optional

The command will ask for the value Dynatrace Environment.

Verify that the server is running via

gemini mcp list

Or manually in your ~/.gemini/settings.json or .gemini/settings.json:

{
  "mcpServers": {
    "dynatrace": {
      "command": "npx",
      "args": ["@dynatrace-oss/dynatrace-mcp-server@latest"],
      "env": {
        "DT_ENVIRONMENT": "https://abc12345.apps.dynatrace.com"
      },
      "timeout": 30000,
      "trust": false
    }
  }
}

HTTP Server Mode (Alternative)

💡 Recommendation: Instead of self-hosting with --http / --server, consider using the official Dynatrace Remote MCP Server — it is more secure, always up to date, and requires no infrastructure management.

For scenarios where you need to run the MCP server as an HTTP service instead of using stdio (e.g., for stateful sessions, load balancing, or integration with web clients), you can use the HTTP server mode:

Running as HTTP server:

Please secure your server with a bearer token:

export MCP_BEARER_TOKEN=<bearer-token>

# Get help and see all available options
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --help

# Run with HTTP server on default port 3000
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http

# Run with custom port (using short or long flag)
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --server -p 8080
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --port 3001

# Run with custom host/IP (using short or long flag)
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --host 127.0.0.1 # recommended for local computers
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http --host 0.0.0.0 # required for container (binds all interfaces; omitting --host defaults to 127.0.0.1)
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http -H 192.168.0.1 # recommended when sharing connection over a local network

# Static OAuth callback port (useful when the port must be exposed, e.g., when running the MCP in a container)
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --oauth-redirect-port 5344

# Check version
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --version

Configuration for MCP clients that support HTTP transport:

{
  "mcpServers": {
    "dynatrace-http": {
      "url": "http://localhost:3000",
      "transport": "http",
      "headers": {
        "Authorization": "Bearer <bearer-token>"
      }
    }
  }
}

Bearer Token Authentication (MCP_BEARER_TOKEN)

MCP_BEARER_TOKEN is required when running in HTTP mode. The server will refuse to start if this variable is not set.

Every HTTP request must include an Authorization: Bearer <token> header. Requests without a valid token receive 401 Unauthorized.

Generating a secure token:

export MCP_BEARER_TOKEN=$(openssl rand -base64 32)
npx -y @dynatrace-oss/dynatrace-mcp-server@latest --http

Configuring the MCP client to send the token:

{
  "mcpServers": {
    "dynatrace-http": {
      "url": "http://localhost:3000",
      "transport": "http",
      "headers": {
        "Authorization": "Bearer <your-token>"
      }
    }
  }
}

MCP Bundle (MCPB)

Each release publishes a pre-built MCP Bundle file (.mcpb) that you can install directly in Claude Desktop without any manual JSON configuration.

Installing in Claude Desktop:

1. Go to the GitHub Releases page and download the latest dynatrace-mcp-server-<version>.mcpb file.
2. Double-click the downloaded .mcpb file, or open Claude Desktop → Settings → Developer and drag the file into the MCP servers list.
3. Follow the prompts to set your DT_ENVIRONMENT variable (e.g. https://abc12345.apps.dynatrace.com).

This repository also includes an MCP Bundle-compatible manifest.json for local installation. The bundle runs the compiled local server entrypoint via stdio:

• server.type: node
• server.entry_point: dist/index.js
• mcp_config.command: node
• mcp_config.args: ["${__dirname}/dist/index.js"]

Rule File

For efficient result retrieval from Dynatrace, please consider creating a rule file (e.g., .github/copilot-instructions.md, .amazonq/rules/), instructing coding agents on how to get more details for your component/app/service. Here is an example for easytrade, please adapt the names and filters to fit your use-cases and components:

# Observability

We use Dynatrace as an Observability solution. This document provides instructions on how to get data for easytrade from Dynatrace using DQL.

## How to get any data for my App

Depending on the query and tool used, the following filters can be applied to narrow down results:

* `contains(entity.name, "easytrade")`
* `contains(affected_entity.name, "easytrade")`
* `contains(container.name, "easytrade")`

For best results, you can combine these filters with an `OR` operator.

## Logs

To fetch logs for easytrade, execute `fetch logs | filter contains(container.name, "easyatrade")`.
For fetching just error-logs, add `| filter loglevel == "ERROR"`.

Environment Variables

Breaking Change in v1.0.0: The MCP server no longer automatically loads .env files. To use environment variables from a .env file, you need to configure your MCP client to load environment variables using the native envFile configuration option. See the configuration examples below for details.

• DT_ENVIRONMENT (required, string, e.g., https://abc12345.apps.dynatrace.com) - URL to your Dynatrace Platform (do not use Dynatrace classic URLs like abc12345.live.dynatrace.com)
• DT_PLATFORM_TOKEN (optional, string, e.g., dt0s16.SAMPLE.abcd1234) - Dynatrace Platform Token
• OAUTH_CLIENT_ID (optional, string, e.g., dt0s02.SAMPLE) - Alternative: Dynatrace OAuth Client ID (for advanced use cases)
• OAUTH_CLIENT_SECRET (optional, string, e.g., dt0s02.SAMPLE.abcd1234) - Alternative: Dynatrace OAuth Client Secret (for advanced use cases)
• DT_SSO_URL (optional, string, e.g., https://sso.dynatrace.com) - Override the SSO URL for OAuth authentication. By default, the SSO URL is automatically discovered from your Dynatrace environment.
• DT_GRAIL_QUERY_BUDGET_GB (optional, number, default: 1000) - Budget limit in GB (base 1000) for Grail query bytes scanned per session. The MCP server tracks your Grail usage and warns when approaching or exceeding this limit.

When just providing DT_ENVIRONMENT, the local MCP server will try to open a browser window to authenticate against the Dynatrace SSO.

For more information about the other authentication methods, please have a look at the documentation about creating a Platform Token in Dynatrace, as well as creating an OAuth Client in Dynatrace for advanced scenarios (service-users, backend-to-backend communication).

In addition, depending on the features you use, the following variables can be configured:

• SLACK_CONNECTION_ID (string) - connection ID of a Slack Connection

Proxy Configuration

The MCP server honors system proxy settings for corporate environments:

• https_proxy or HTTPS_PROXY (optional, string, e.g., http://proxy.example.com:8080) - Proxy server URL for HTTPS requests
• http_proxy or HTTP_PROXY (optional, string, e.g., http://proxy.example.com:8080) - Proxy server URL for HTTP requests
• no_proxy or NO_PROXY (optional, string, e.g., localhost,127.0.0.1,.local) - Comma-separated list of hostnames or domains that should bypass the proxy
• NODE_EXTRA_CA_CERTS (optional, string, e.g., C:\some-path\certificate.pem) - When set, the well known "root" CAs (like VeriSign) will be extended with the extra certificates

Note: The no_proxy environment variable is currently logged for informational purposes but not fully enforced by the underlying HTTP client. If you need to bypass the proxy for specific hosts, consider configuring your proxy server to handle these exclusions.

Example configuration with proxy:

export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,.company.local
export DT_ENVIRONMENT=https://abc12345.apps.dynatrace.com

Scopes for Authentication

Depending on the features you are using, the following scopes are needed:

Available for both Platform Tokens and OAuth Clients:

• app-engine:apps:run - needed for almost all tools
• app-settings:objects:read - read app-settings - needed for send_slack_message tool to read connection details from App-Settings
• storage:buckets:read - needed for execute_dql tool to read all system data stored on Grail
• storage:logs:read - needed for execute_dql tool to read logs for reliability guardian validations
• storage:metrics:read - needed for execute_dql tool to read metrics for reliability guardian validations
• storage:bizevents:read - needed for execute_dql tool to read bizevents for reliability guardian validations
• storage:spans:read - needed for execute_dql tool to read spans from Grail
• storage:entities:read - needed for execute_dql tool to read Entities from Grail
• storage:events:read - needed for execute_dql tool to read Events from Grail
• storage:security.events:read- needed for execute_dql tool to read Security Events from Grail
• storage:system:read - needed for execute_dql tool to read System Data from Grail
• storage:user.events:read - needed for execute_dql tool to read User events from Grail
• storage:user.sessions:read - needed for execute_dql tool to read User sessions from Grail
• storage:smartscape:read - needed for execute_dql tool to read Smartscape Data
• storage:files:read - needed for execute_dql tool to use DQL load statements for lookup data (e.g., /lookups/http_status_codes)
• storage:events:write - needed for send_event tool to send event data to Dynatrace
• davis-copilot:conversations:execute - execute conversational skill (chat with Copilot)
• davis-copilot:nl2dql:execute - execute Davis Copilot Natural Language (NL) to DQL skill
• davis-copilot:dql2nl:execute - execute DQL to Natural Language (NL) skill
• davis:analyzers:read - needed for listing and getting Davis analyzer definitions
• davis:analyzers:execute - needed for executing Davis analyzers
• email:emails:send - needed for send_email tool to send emails
• document:documents:read - needed for list_documents and read_document tools to list and read Dynatrace documents (Notebooks, Dashboards, Launchpads, etc.)
• document:documents:write - needed for create_document tool to create new documents

Notes:

• Versions before 0.12.0 required the scope app-engine:functions:run, which is no longer required.
• Versions before 0.13.0 required the scopes settings:objects:read and environment-api:entities:read, which are no longer required.

✨ Example prompts ✨

You can start with something as simple as "Is my component monitored by Dynatrace?", and follow up with more sophisticated examples.

Troubleshooting

Authentication Issues

In most cases, authentication issues are related to missing scopes or invalid tokens. Please ensure that you have added all required scopes as listed above.

For Platform Tokens:

1. Verify your Platform Token has all the necessary scopes listed in the "Scopes for Authentication" section
2. Ensure your token is valid and not expired
3. Check that your user has the required permissions in your Dynatrace Environment

For OAuth Clients: In case of OAuth-related problems, you can troubleshoot SSO/OAuth issues based on our Dynatrace Developer Documentation.

It is recommended to test access with the following API (which requires minimal scopes app-engine:apps:run and, e.g., storage:logs:read):

1. Use OAuth Client ID and Secret to retrieve a Bearer Token (only valid for a couple of minutes):

curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id={your-client-id}' \
  --data-urlencode 'client_secret={your-client-secret}' \
  --data-urlencode 'scope=app-engine:apps:run storage:logs:read'

2. Use access_token from the response of the above call as the bearer-token in the next call:

curl -X GET https://abc12345.apps.dynatrace.com/platform/management/v1/environment \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {your-bearer-token}'

3. You should retrieve a result like this:

{
  "environmentId": "abc12345",
  "createTime": "2023-01-01T00:10:57.123Z",
  "blockTime": "2025-12-07T00:00:00Z",
  "state": "ACTIVE"
}

Problem accessing data on Grail

Grail has a dedicated section about permissions in the Dynatrace Docs. Please refer to https://docs.dynatrace.com/docs/discover-dynatrace/platform/grail/data-model/assign-permissions-in-grail for more details.

Telemetry

The Dynatrace MCP Server sends telemetry data using Dynatrace OpenKit BizEvents to help improve the product. This includes:

• Server start events (com.dynatrace-oss.mcp.server-start)
• Client initialization events (com.dynatrace-oss.mcp.client-initialization) - which MCP client is connecting (e.g., VS Code, Claude Desktop, Cursor)
• Tool usage events (com.dynatrace-oss.mcp.tool-usage) - which tools are called, success/failure, execution duration
• Error events (com.dynatrace-oss.mcp.error) - error tracking for debugging and improvement

All telemetry data is sent as Business Events and is accessible via Grail for analysis:

fetch bizevents
| filter startsWith(event.type, "com.dynatrace-oss.mcp")
| sort timestamp DESC

Privacy and Opt-out:

• Telemetry is enabled by default but can be disabled by setting DT_MCP_DISABLE_TELEMETRY=true
• No sensitive data from your Dynatrace environment is tracked
• Only anonymous usage statistics and error information are collected
• Usage statistics and error data are transmitted to Dynatrace’s analytics endpoint

Configuration options:

• DT_MCP_DISABLE_TELEMETRY (boolean, default: false) - Disable Telemetry
• DT_MCP_TELEMETRY_APPLICATION_ID (string, default: dynatrace-mcp-server) - Application ID for tracking
• DT_MCP_TELEMETRY_ENDPOINT_URL (string, default: Dynatrace endpoint) - OpenKit endpoint URL
• DT_MCP_TELEMETRY_DEVICE_ID (string, default: auto-generated) - Device identifier for tracking

To disable usage tracking, add this to your environment:

DT_MCP_DISABLE_TELEMETRY=true