Skip to content

Explain mode

Called after the user picks a mode from log10x_cost_options. Returns a three-section plain-text card (not markdown) explaining the mode at a service level:

  1. What it does — effect on events, no mechanism jargon
  2. What you need — prerequisites
  3. What it would mean for [service] — volume and estimated dollar impact when metrics are available

Then asks: Apply or Preview? Routes to log10x_configure_engine (apply) or log10x_preview_filter (preview).

Example

You

explain drop for payment-svc

Log10x

What it does No events reach the SIEM; engine drops at the Receiver before delivery. Events are discarded permanently.

What you need The 10x Receiver sidecar must be installed in-path. Requires a GitOps repo configured so 10x can open the action-plan PR.

What it would mean for payment-svc payment-svc sends roughly 45.3 GB per month (splunk). Potential reduction: 45.3 GB × $0.50/GB = $272/mo.

Do you want to apply drop to payment-svc, or first preview which patterns would be affected? 1. Apply — route to log10x_configure_engine 2. Preview — show me the pattern list first (log10x_preview_filter)

More to ask

  • "explain compact for checkout-svc"
  • "what's the difference between drop and offload?"
  • "explain tier_down"

Prerequisites

Reporter deployed (for volume figures). Volume data is best-effort; the card renders without it.

Schema and samples

Input schema

Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):

{
  "type": "object",
  "properties": {
    "service": {
      "type": "string",
      "description": "Service name to personalize the explanation with service-level volume and cost figures."
    },
    "mode": {
      "type": "string",
      "enum": [
        "drop",
        "sample",
        "compact",
        "tier_down",
        "offload",
        "observe_only"
      ],
      "description": "Which enforcement mode to explain. `drop` = engine hard-drops matched patterns at the Receiver before delivery. `sample` = engine passes 1-in-N events through to the SIEM. `compact` = engine compresses events ~50-80% losslessly; all events still reach the stack. `tier_down` = engine stamps the isDropped marker; a routing rule moves events to a cheaper storage tier (Datadog Flex / CloudWatch IA). `offload` = engine diverts matched events to a customer-owned S3 bucket; recoverable via log10x_retriever_query. `observe_only` = engine observes and fingerprints but does not act; use to baseline volume before committing."
    },
    "destination": {
      "type": "string",
      "description": "Auto-detected destination SIEM or forwarder. When omitted the tool infers from envs.json / env vars. Used to name the specific vendor in the explanation (\"your Datadog workspace\", \"your Splunk index\", etc.)."
    }
  },
  "required": [
    "service",
    "mode"
  ],
  "additionalProperties": false
}

Source: src/tools/explain-mode.ts.

Output schema

The data block inside the StructuredOutput envelope:

interface ToolData {
  service: string;
  mode: 'drop' | 'sample' | 'compact' | 'tier_down' | 'offload' | 'observe_only';
  destination: string | null;
  service_bytes_per_month: number | null;
  service_cost_per_month_usd: number | null;
  must_render_verbatim: string;
  must_ask_user: { question: string; options: string[] };
  forbidden_next_actions: string[];
  routes_to: {
    apply: { tool: string; args: Record<string, unknown> } | null;
    preview: { tool: string; args: Record<string, unknown> };
  };
}

Envelope-level fields the agent should also read: summary.headline, actions[], schema_epoch.

Next: Pattern detail