Mitigate
Ask once, get every viable option. The tool checks what's deployed in the active env (Receiver? Retriever? GitOps wiring? Which forwarder and analyzer?) and renders a menu of mitigation paths with the unavailable ones dimmed, so you never pick a path that needs infrastructure you don't have. Each option emits a structured next-action so the agent can route on your choice in one hop.
The four options:
| Option | What it does | How to apply |
|---|---|---|
| Drop at the analyzer | Vendor-native exclusion (Datadog / Splunk / CloudWatch / Elasticsearch). Pattern is dropped at ingest. | Paste the per-option config_snippet into your analyzer. |
| Drop at the forwarder | Forwarder-side filter (fluent-bit, fluentd, otel-collector, etc.). Pattern is dropped before it leaves the host. | Paste the per-option config_snippet into your forwarder config. |
| Cap at the Receiver | Per-container byte cap via the rate regulator. PR against the gitops repo. | Engine PR |
| Compact at the Receiver | Lossless compaction via Compact mode, events shrink ~20–40×. PR against the gitops repo. | Engine PR |
Dependency check is listed as a required pre-action for any drop-style option, so the safety gate stays enforced.
Example
You
options for Payment_Gateway_Timeout — it's $58/mo
Log10x
Receiver deployed (gitops: acme/log10x-config). Forwarder: fluentbit. Analyzer: Datadog.
- Drop at Datadog —
@tenx_hash:"sZw4qq3MCWE"exclusion filter. Stops appearing in Logs Explorer. Run Dependency check first. - Drop at fluent-bit — drop rule on the forwarder; pattern never reaches Datadog. Run Dependency check first.
- Cap at the Receiver — per-container byte cap with PR against
acme/log10x-config. Pattern is sampled at the severity floor when it goes hot. - Compact at the Receiver — losslessly compact the pattern's container; ~20–40× volume reduction with full retriever expansion.
Which?
More to ask
- "options for
HealthCheck_Pass, just the cheapest" - "only mute/compact options, skip the analyzer drops"
Prerequisites
None — the tool degrades gracefully. Without a snapshot, it still renders the menu but dims PR-based options when no gitops.repo is set on the active env. With a snapshot, the dim/highlight is based on what's actually deployed.
Schema and samples
Input example
Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"pattern": {
"type": "string",
"minLength": 1,
"description": "The pattern identity to mitigate. Pass the canonical name from a prior log10x_top_patterns / log10x_cost_drivers / log10x_event_lookup row."
},
"service": {
"type": "string",
"description": "Optional service scope. When set, options that target a single service (forwarder drop, exclusion filter) are scoped to it."
},
"snapshot_id": {
"type": "string",
"description": "Snapshot from log10x_discover_env. Used to detect which 10x components are deployed in the active env (receiver, retriever, GitOps wiring). When passed, the envelope's `recommendation_audit.capability_sources` reflects which capabilities came from the snapshot vs envs.json. Without it, the tool still works but may dim PR-based options if the active env's envs.json does not list a gitops repo."
}
},
"required": [
"pattern"
],
"additionalProperties": false
}
Source: src/tools/pattern-mitigate.ts.
Output example
Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.
Headline (the 1-line agent-facing answer):
cart\_cartstore\_ValkeyCartStore: 1 of 4 mitigation options enabled (drop_at_analyzer)
{
"schema_version": "1.0",
"schema_epoch": "2026-05-25",
"tool": "log10x_pattern_mitigate",
"generated_at": "2026-05-26T15:38:35.771Z",
"view": "summary",
"summary": {
"headline": "`cart_cartstore_ValkeyCartStore`: 1 of 4 mitigation options enabled (drop_at_analyzer)"
},
"data": {
"pattern": "cart_cartstore_ValkeyCartStore",
"options": [
{
"id": "drop_at_analyzer",
"enabled": true,
"label": "Drop at Splunk"
},
{
"id": "drop_at_forwarder",
"enabled": false,
"disabled_reason": "forwarder not detected from env / snapshot",
"label": "Drop at forwarder"
},
{
"id": "mute_at_10x",
"enabled": false,
"disabled_reason": "To enable mute/compact at the 10x engine, set `gitops.repo` (owner/name) in your `~/.log10x/envs.json` entry — or export `LOG10X_GH_REPO=<owner/name>` — or pass a `snapshot_id` from `log10x_discover_env` against a cluster with a receiver pod that has `GH_ENABLED=true` + `GH_REPO=<owner/name>` set.",
"label": "Mute at 10x receiver"
},
"... 1 more elided"
],
"env_capabilities": {
"can_mute": false,
"can_compact": false,
"has_retriever_archive": false,
"analyzer_vendor": "splunk"
}
},
"actions": [],
"truncated": false,
"warnings": []
}
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
pattern: string;
options: Array<{
id: string;
enabled: boolean;
label: string;
}>;
env_capabilities: { can_mute: boolean; can_compact: boolean; has_retriever_archive: boolean; analyzer_vendor: string };
}
Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).