Skip to content

Safety check

Before muting or dropping a pattern, find every dashboard, alert, saved search, or monitor that references it. Returns the actual dependency list with deep-links when your log analyzer credentials are in the environment, or a paste-ready bash block when they aren't. The executed path is read-only across every vendor; only GETs are issued.

Example

You

deps on Payment_Gateway_Timeout in Splunk

Log10x

Dependency Check on Splunk (executed). 2 alerts, 1 saved search, 3 dashboards reference the pattern:

Alerts

  • Payments_Timeout_Spike fires on rate > 50/min · open
  • Tenant_Impact_Watch multi-tenant variant · open

Saved searches

  • Payment_Gateway_Timeout_24h_summary · open

Dashboards

  • Payments Service Live · open
  • Incident Triage OPS · open
  • Tenant SLA Tracking · open

Redirect or remove these consumers before muting or dropping the pattern.

More to ask

  • "deps on Retry_Backoff_Exhausted in Datadog"
  • "who's using DEBUG /healthz in Elasticsearch?"
  • "can I delete the cart_validation_failed log?"

Prerequisites

Per vendor, set the env vars below for executed mode. Missing creds → paste-ready bash + a note saying which env to set. vendor is auto-detected when exactly one log analyzer is present in the env; pass vendor=<id> when multiple are present.

Vendor Required env Notes
Splunk SPLUNK_HOST + SPLUNK_TOKEN Basic-auth and ~/.splunkrc also accepted. Web URLs derived by mapping :8089:8000 — override with SPLUNK_WEB_URL.
Datadog DD_API_KEY + DD_APP_KEY DATADOG_* aliases work. Site routing via DD_SITE.
CloudWatch Standard AWS credential chain Scans metric filters + metric/composite alarms + dashboards (by name; full-body match would need per-dashboard fetch, kept out of the default path).
Elasticsearch KIBANA_URL + KIBANA_API_KEY (or ELASTIC_API_KEY) Without a Kibana endpoint, falls back to paste-ready bash with a note — Elasticsearch alone can't surface dashboards / rules.

Schema and samples

Input example

Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).

{
  "pattern": "Payment_Gateway_Timeout",
  "vendor": "datadog",
  "view": "summary"
}
Input schema

Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):

{
  "type": "object",
  "properties": {
    "pattern": {
      "type": "string",
      "description": "Pattern name (e.g., \"Payment_Gateway_Timeout\")"
    },
    "vendor": {
      "type": "string",
      "enum": [
        "datadog",
        "splunk",
        "elasticsearch",
        "cloudwatch"
      ],
      "description": "SIEM vendor to scan. Omit to auto-detect from ambient credentials (DD_API_KEY+DD_APP_KEY → datadog; SPLUNK_HOST+SPLUNK_TOKEN → splunk; ELASTIC_URL → elasticsearch; AWS chain → cloudwatch). When multiple SIEMs are configured, the tool returns an \"ambiguous\" error listing them — pass vendor= to disambiguate. When the resolved SIEM has live credentials the scan runs in-process and returns actual dashboard/alert/saved-search names + URLs; otherwise the tool falls back to a paste-ready bash command."
    },
    "service": {
      "type": "string",
      "description": "Service name to scope the scan"
    },
    "severity": {
      "type": "string",
      "description": "Severity level"
    }
  },
  "required": [
    "pattern"
  ],
  "additionalProperties": false
}

Source: src/tools/dependency-check.ts.

Output example

Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.

Headline (the 1-line agent-facing answer):

Payment\_Gateway\_Timeout: 0 dependencies found in datadog (recommendation: unverifiable)

{
  "schema_version": "1.0",
  "schema_epoch": "2026-05-25",
  "tool": "log10x_dependency_check",
  "generated_at": "2026-05-26T15:38:35.775Z",
  "view": "summary",
  "summary": {
    "headline": "`Payment_Gateway_Timeout`: 0 dependencies found in datadog (recommendation: unverifiable)"
  },
  "data": {
    "pattern": "Payment_Gateway_Timeout",
    "vendor": "datadog",
    "execution_mode": "paste_ready",
    "scan_ran": false,
    "dependencies": [],
    "safe_to_drop_recommendation": "unverifiable"
  },
  "actions": [],
  "truncated": false,
  "warnings": []
}
Output schema

The data block inside the StructuredOutput envelope:

interface ToolData {
  pattern: string;
  vendor: string;
  execution_mode: string;
  scan_ran: boolean;
  dependencies: unknown[];
  safe_to_drop_recommendation: string;
}

Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).

Next: Mitigate