Examples
Given a pattern (or a pasted log line that resolves to one), pull recent live events from the log analyzer and group them by exact template. Returns the top 3 buckets by event count with per-bucket template label, recall, and extracted slot values per match. Bounded to a 24-hour window in the live analyzer. When a pattern is under an offload action, the SIEM never received those events; to sample the held-back cohort instead, see Retriever query.
Typically called by Investigate when a metric tier surfaces a pattern that needs event evidence to form a hypothesis. Not usually invoked directly.
Example
You
show examples of Payment_Gateway_Timeout from the last hour
Log10x
From Datadog, 1h, 12 events, 3 template buckets:
| bucket | template | events |
|---|---|---|
| 1 | Payment_Gateway_Timeout: connect timeout after {ms}ms on host {host} |
7 |
| 2 | Payment_Gateway_Timeout: read timeout, retried {n} times |
3 |
| 3 | Payment_Gateway_Timeout: SSL handshake failed: {error} |
2 |
Bucket 1 sample: ms=4823, host=payments-3.acme.net · ms=5102, host=payments-7.acme.net · …
More to ask
- "examples of this pasted line, scope to
cart-svc, error level only" - "slow examples, show 50 per bucket"
Prerequisites
Log analyzer credentials in the env for one of: Splunk, Datadog, Elasticsearch, CloudWatch. When multiple are configured, pass vendor= explicitly.
Schema and samples
Input example
Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"pattern": {
"type": "string",
"description": "Pattern name (Symbol Message, e.g. `Payment_Gateway_Timeout`) or a pasted raw log line. Pasted lines resolve to the matching pattern via the same templater path as log10x_resolve_batch. Required."
},
"vendor": {
"type": "string",
"enum": [
"splunk",
"datadog",
"elasticsearch",
"cloudwatch"
],
"description": "Log analyzer to search. Auto-detected when exactly one of the supported vendors has credentials in the env; pass explicitly when multiple are configured."
},
"service": {
"type": "string",
"description": "Optional service-name scope. Translated to the vendor-specific service filter."
},
"severity": {
"type": "string",
"description": "Optional severity scope (e.g., `ERROR`, `WARN`)."
},
"timeRange": {
"type": "string",
"enum": [
"15m",
"1h",
"6h",
"24h",
"1d",
"7d",
"30d"
],
"default": "1h",
"description": "Window for the live SIEM probe. Capped at 24h. To sample a pattern's offloaded cohort (events the Receiver routed to the overflow bucket, which the SIEM never received), use log10x_retriever_query. '1d' is a legacy alias for '24h'."
},
"limit": {
"type": "number",
"minimum": 1,
"maximum": 50,
"default": 10,
"description": "Maximum number of sample events per templateHash bucket. 1-50, default 10."
},
"scope": {
"type": "string",
"description": "Vendor-specific scope (Splunk index, Datadog index, ES index pattern, CloudWatch log group). Defaults to a sensible per-vendor value when omitted."
},
"environment": {
"type": "string",
"description": "Environment nickname."
}
},
"required": [
"pattern"
],
"additionalProperties": false
}
Source: src/tools/pattern-examples.ts.
Output example
Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.
Headline (the 1-line agent-facing answer):
open\_telemetry\_opensearchexporter\_clientLogger\_LogRoundTrip\_open\_telemetry\_opensearchexporter\_v\_go\_github\_opensearch\_project(cloudwatch, 1h): 102 events pulled, 102 retained across 1 templates via tenx_hash-exact
{
"schema_version": "1.0",
"schema_epoch": "2026-05-25",
"tool": "log10x_pattern_examples",
"generated_at": "2026-05-26T15:37:29.611Z",
"view": "summary",
"summary": {
"headline": "`open_telemetry_opensearchexporter_clientLogger_LogRoundTrip_open_telemetry_opensearchexporter_v_go_github_opensearch_project` (cloudwatch, 1h): 102 events pulled, 102 retained across 1 templates via tenx_hash-exact"
},
"data": {
"pattern": "open_telemetry_opensearchexporter_clientLogger_LogRoundTrip_open_telemetry_opensearchexporter_v_go_github_opensearch_project",
"vendor": "cloudwatch",
"window": "1h",
"probe_path": "tenx_hash-exact",
"events_pulled": 102,
"distinct_templates": 1,
"retained_events": 102,
"retained_templates": 1,
"dropped_jaccard_events": 0,
"multi_line_detected": false,
"buckets": [
{
"rank": 1,
"template_hash": "2qiwE{k$rY",
"tenx_hash": "4Fwju8mGbu4",
"event_count": 102,
"jaccard": 1,
"severity": "ERROR",
"service": "tenx-fluentd",
"sample_event": "2026-05-26T14:37:40.275Z\terror\topensearchexporter@v0.142.0/logger.go:36\tRequest failed.\t{\"resource\": {\"service.instance.id\": \"1aab212a-1c9e-423a-9b98-cc7cd26c17ae\", \"service.name\": \"otelcol-contrib\", ",
"slot_distribution": [
{
"slot": "timestamp",
"distinct_count": 20,
"is_constant": false,
"sample_values": [
"1779806260275",
"1779806260481",
"1779806260684"
]
},
{
"slot": "slot_9",
"distinct_count": 20,
"is_constant": false,
"sample_values": [
"002150637",
"005096784",
"00205715"
]
},
{
"slot": "slot_1",
"distinct_count": 1,
"is_constant": true,
"sample_values": [
"142"
]
},
"... 3 more elided"
]
}
],
"probe_notes": [
"scope auto-discovered: 4 group(s) under \"/log10x*\""
]
},
"actions": [],
"truncated": true,
"warnings": []
}
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
pattern: string;
vendor: string;
window: string;
probe_path: string;
events_pulled: number;
distinct_templates: number;
retained_events: number;
retained_templates: number;
dropped_jaccard_events: number;
multi_line_detected: boolean;
buckets: Array<{
rank: number;
template_hash: string;
tenx_hash: string;
event_count: number;
jaccard: number;
severity: string;
service: string;
sample_event: string;
slot_distribution: Array<{
slot: string;
distinct_count: number;
is_constant: boolean;
sample_values: string[];
}>;
}>;
probe_notes: string[];
}
Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).