Skip to content

Pattern detail

Composes a full single-pattern view by fetching data from three sources in parallel:

  1. event_lookup — identity, first_seen, per-service cost breakdown
  2. pattern_trend — 24h time series for the line chart
  3. pattern_examples — sample events from the SIEM (when available)

Returns a plain-text must_render_verbatim block with: pattern header + first-seen age, 24h line chart, cross-service ASCII bar chart, severity breakdown, and 3-5 sample events truncated to 120 chars.

Then asks: "Back to preview list" or "Apply with this in the picture."

Example

You

drill into pattern #2

Log10x

Pattern: healthcheck_ok_pod_$ First seen: 3 days ago

Volume trend (24h) [line chart]

Service distribution (30d) checkout-svc [INFO] ████████████████░░░░░░░░░░░░ 890MB payment-svc ██░░░░░░░░░░░░░░░░░░░░░░░░░░ 190MB

Severity breakdown: INFO: 0.85GB (82%) | (none): 0.19GB (18%)

Sample events (3 shown): 1. {"level":"info","msg":"healthcheck ok","pod":"checkout-7f8d9-x2p"}

What next? Back — return to the preview list Apply — proceed with applying the mode

Prerequisites

Reporter deployed (for TSDB trend and service breakdown). SIEM connector configured for sample events (optional — skipped gracefully if absent).

Schema and samples

Input schema

Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):

{
  "type": "object",
  "properties": {
    "pattern_hash": {
      "type": "string",
      "description": "The tenx_hash of the pattern to drill into. Obtained from log10x_preview_filter data.patterns[].tenx_hash. Preferred over pattern when available (skips a metrics lookup)."
    },
    "pattern": {
      "type": "string",
      "description": "Pattern name (Symbol Message, e.g. \"Payment_Gateway_Timeout\") as an alias for pattern_hash. Resolved to hash via metrics lookup. Provide either pattern or pattern_hash."
    },
    "include_samples": {
      "type": "boolean",
      "default": true,
      "description": "When true (default), attempts to fetch 3-5 sample events from the SIEM. Set false to skip the SIEM round-trip."
    },
    "timeRange": {
      "type": "string",
      "pattern": "^\d+[mhd]$",
      "default": "7d",
      "description": "Time window for the volume trend and sample events lookback. Default 7d. Pattern: ^\d+[mhd]$."
    },
    "environment": {
      "type": "string",
      "description": "Environment nickname for multi-env setups."
    }
  },
  "additionalProperties": false
}

Source: src/tools/pattern-detail.ts.

Output schema

The data block inside the StructuredOutput envelope:

interface ToolData {
  pattern_hash: string;
  pattern_name: string | null;
  services: Array<{
    service: string;
    severity: string;
    bytes: number;
    share_pct: number;
  }>;
  total_bytes: number;
  first_seen_age_seconds: number | null;
  trend_time_series: Array<{ ts: number; bytes_per_sec: number }>;
  sample_events: string[];
  must_render_verbatim: string;
  must_ask_user: { question: string; options: string[] };
}

Envelope-level fields the agent should also read: summary.headline, actions[] (back to preview / apply), schema_epoch.

Next: Preview filter