Top patterns
Rank the loudest patterns by CURRENT cost when you want to know what's expensive right now in a service or cluster. Returns a ranked list with severity, event count, and a Top-N = X% of volume coverage line.
For "what grew vs last week?" use What's changing. For "what showed up recently?" use What's new. Each tool answers one question; this one answers "where is my money going right now?"
Example
You
top 20 patterns in checkout-svc, last hour
Log10x
Cart_Validation_Failed$890/h · ERROR · 12K eventsInventory_Check_Latency$640/h · INFO · 18K eventsCoupon_Lookup_Miss$410/h · INFO · 7K events ... 17 more
Top 20 = 64% of total volume in scope / 36% in the long tail.
More to ask
- "loudest patterns right now"
- "top 10 patterns by event count, 1h"
- "top patterns in
payments-svcthis hour"
Prerequisites
This tool requires the Reporter deployed.
Schema and samples
Input example
Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"service": {
"type": "string",
"description": "Service name to scope the result. Omit for all services."
},
"severity": {
"type": "string",
"description": "Severity level to scope the result (e.g., `ERROR`, `CRITICAL`, `DEBUG`)."
},
"timeRange": {
"type": "string",
"pattern": "^\d+[mhd]$",
"default": "1h",
"description": "Time range to aggregate over. Default 1h."
},
"limit": {
"type": "number",
"minimum": 1,
"maximum": 50,
"default": 10,
"description": "Number of patterns to return. Default 10."
},
"offset": {
"type": "number",
"minimum": 0,
"default": 0,
"description": "Skip the first N patterns of the ranked result (for pagination). Default 0."
},
"analyzerCost": {
"type": "number",
"description": "DEPRECATED — use effective_ingest_per_gb. SIEM ingestion cost in $/GB. Auto-detected from profile if omitted."
},
"effective_ingest_per_gb": {
"type": "number",
"description": "Customer-supplied $/GB rate used for the dollar overlay. When set, headline tags `rate_source=customer_supplied`. When absent, falls back to the profile list rate (`rate_source=list_price`) or omits dollars entirely (`rate_source=unset`)."
},
"siemScope": {
"type": "string",
"description": "SIEM scope for the verbatim sample line on the top rows."
},
"environment": {
"type": "string",
"description": "Environment nickname (for multi-env setups)."
},
"verbose": {
"type": "boolean",
"default": false,
"description": "When true, every card carries the full forwarder snippet inline, every CTA renders unconditionally, and the volume-trend chart shows on every top-3 card. Default: compact mode (snippet templated once at top, CTAs gated to where they earn their line, chart only on ACUTE/NEW patterns)."
},
"view": {
"type": "string",
"const": "summary",
"default": "summary",
"description": "Output format. Always \"summary\" — the structured JSON envelope with patterns, incidents, totals, and chained-tool action hints. Field retained for backward-compat with callers that still pass `view: \"summary\"`."
},
"include": {
"type": "string",
"enum": [
"kept",
"dropped",
"both"
],
"default": "kept",
"description": "Which engine-decision cohort to scope to. `kept` (default) = events the engine forwarded as-is (isDropped!=\"true\") — the pre-PL-12 behavior. `dropped` = events tagged isDropped=\"true\" by the engine (the offload/down-tier cohort). `both` = the pre-decision union; per-row output adds kept_bytes / dropped_bytes / dropped_share_pct. Use `dropped` to verify post-deploy realised savings or to answer \"which patterns are we offloading right now\". Use `both` to compute the offload share denominator in a single call."
},
"include_chart": {
"type": "boolean",
"default": false,
"description": "Set include_chart=true to embed the rendered chart inline (large; default false to avoid response truncation)."
}
},
"additionalProperties": false
}
Source: src/tools/top-patterns.ts.
Output example
Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.
Headline (the 1-line agent-facing answer):
Top 5 patterns over last 1h cost ~$310/mo total.
{
"schema_version": "1.0",
"schema_epoch": "2026-05-25",
"tool": "log10x_top_patterns",
"generated_at": "2026-05-26T15:37:06.891Z",
"view": "summary",
"summary": {
"headline": "Top 5 patterns over last 1h cost ~$310/mo total."
},
"data": {
"patterns": [
{
"rank": 1,
"identity": "open_telemetry_opensearchexporter_clientLogger_LogRoundTrip_open_telemetry_opensearchexporter_v_go_github_opensearch_project",
"template_hash": "A4Rp6cSyTtY",
"service": "opentelemetry-collector",
"severity": "ERROR",
"cost_per_hour_usd": 0.19948668380212137,
"cost_per_month_usd": 143.6304123375274,
"bytes": 142798130.48626736,
"events": 3346.263958258455,
"first_seen_age_seconds": 488216,
"badge": "STABLE",
"descriptor": "open_telemetry_opensearchexporter_clientLogger_LogRoundTrip_open_telemetry_opensearchexporter_v_go_github_opensearch_project",
"trend_bytes_per_sec": [
39027.58632157437,
40972.76290468055,
40779.90460441579,
"... 142 more elided"
]
},
{
"rank": 2,
"identity": "retryable_error_Permanent_error_flush_dial_tcp_lookup_opensearch_no_such_host_error_flush_dial_tcp_lookup_opensearch_no_such",
"template_hash": "ZRJMij8tDok",
"service": "opentelemetry-collector",
"severity": "ERROR",
"cost_per_hour_usd": 0.07490888865482631,
"cost_per_month_usd": 53.93439983147494,
"bytes": 53621871.15869741,
"events": 5941.139554980694,
"first_seen_age_seconds": 740216,
"badge": "STABLE",
"descriptor": "retryable_error_Permanent_error_flush_dial_tcp_lookup_opensearch_no_such_host_error_flush_dial_tcp_lookup_opensearch_no_such",
"trend_bytes_per_sec": [
14843.295060568522,
14487.898549821062,
15193.005708777559,
"... 142 more elided"
]
},
{
"rank": 3,
"identity": "node_modules_stream_lib_worker_js_runtime_runtime_nodejs_runtime_description_Node_js_command_usr_src_app_node_modules_stream",
"template_hash": "SlBZ_7jffUA",
"service": "payment",
"severity": "",
"cost_per_hour_usd": 0.04542152778084111,
"cost_per_month_usd": 32.7035000022056,
"bytes": 32513996.05884467,
"events": 1614.318855014382,
"first_seen_age_seconds": 488216,
"badge": "STABLE",
"descriptor": "node_modules_stream_lib_worker_js_runtime_runtime_nodejs_runtime_description_Node_js_command_usr_src_app_node_modules_stream",
"trend_bytes_per_sec": [
9820.686292436156,
8204.039220087201,
7364.106995953167,
"... 142 more elided"
]
},
"... 2 more elided"
],
"incidents": [],
"totals": {
"monthly_usd": 309.77287481320207,
"bytes_per_sec": 85549.4062828321,
"pattern_count_shown": 5,
"pattern_count_total": 246
},
"window": "last 1h",
"pattern_count_shown": 5,
"pattern_count_total": 246
},
"actions": [
{
"tool": "log10x_investigate",
"args": {
"starting_point": "open_telemetry_opensearchexporter_clientLogger_LogRoundTrip_open_telemetry_opensearchexporter_v_go_github_opensearch_project",
"window": "24h"
},
"reason": "root-cause the top error loop before suppressing it (surfaces log-only signals: DNS, connection-pool, dependency failures)"
},
{
"tool": "log10x_pattern_mitigate",
"args": {
"pattern": "open_telemetry_opensearchexporter_clientLogger_LogRoundTrip_open_telemetry_opensearchexporter_v_go_github_opensearch_project"
},
"reason": "env-gated mitigation options + exact configs for this pattern"
},
{
"tool": "log10x_savings",
"args": {
"timeRange": "1h"
},
"reason": "projected savings across the env if you act — drop vs compact vs sample"
},
"... 2 more elided"
],
"render_hint": {
"chart": "timeseries",
"units": "$/mo"
},
"truncated": true,
"warnings": [],
"images": [
{
"data": "<base64 PNG omitted from doc capture; render at runtime>",
"mimeType": "image/png",
"alt": "Top 5 patterns by monthly cost over last 1h"
}
]
}
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
patterns: Array<{
rank: number;
identity: string;
template_hash: string;
service: string;
severity: string;
cost_per_hour_usd: number;
cost_per_month_usd: number;
bytes: number;
events: number;
first_seen_age_seconds: number;
badge: string;
descriptor: string;
trend_bytes_per_sec: number[];
}>;
incidents: unknown[];
totals: { monthly_usd: number; bytes_per_sec: number; pattern_count_shown: number; pattern_count_total: number };
window: string;
pattern_count_shown: number;
pattern_count_total: number;
}
Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).