Shows the list of patterns that would be affected by applying a given enforcement mode to a service, before any action is taken. Returns a fixed-width plain-text table (not markdown) with columns: rank, descriptor, volume, %, service, severity, first seen, trend sparkline. Also writes the full data as CSV to /tmp/log10x-preview-<mode>-<service>.csv.
Data source: TSDB when Reporter is deployed; falls back to a POC-SIEM path when no metrics backend is available.
Chains to log10x_pattern_detail when the user drills into a row.
Example
You
show me which patterns would be affected by drop on checkout-svc
Log10x
Preview: drop on service "checkout-svc" (18 patterns shown)
Descriptor Volume % Service Sev First seen Trend
1 cart_item_added_sku_$qty$ 2.3GB 41.2% checkout-svc INFO 14d ago ▄▄▅▆ 2 healthcheck_ok_pod_$ 890MB 15.9% checkout-svc 3d ago ▇▇▇▇ ...
Full data written to: /tmp/log10x-preview-drop-checkout-svc.csv
What next? Give a pattern number to drill in, type "Apply", or "Mode" to pick differently.
More to ask
- "show top 30 patterns"
- "preview compact on payment-svc"
- "drill into pattern #2"
Prerequisites
Reporter deployed for TSDB data. Works without Reporter via the POC-SIEM path (pattern data from SIEM samples).
Schema and samples
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"service": {
"type": "string",
"description": "Service to scope the preview to."
},
"mode": {
"type": "string",
"enum": [
"drop",
"sample",
"compact",
"tier_down",
"offload",
"observe_only"
],
"description": "The enforcement mode being previewed. Controls which patterns are highlighted as affected."
},
"top_n": {
"type": "number",
"minimum": 1,
"maximum": 50,
"default": 20,
"description": "Number of patterns to surface. Default 20."
},
"environment": {
"type": "string",
"description": "Environment nickname for multi-env setups."
}
},
"required": [
"service",
"mode"
],
"additionalProperties": false
}
Source: src/tools/preview-filter.ts.
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
service: string;
mode: string;
patterns: Array<{
rank: number;
descriptor: string;
descriptor_full: string;
tenx_hash: string;
bytes_per_month: number;
percent_of_service: number;
service: string;
severity: string;
first_seen_relative: string | null;
trend_data: number[];
trend_sparkline: string;
}>;
total_service_bytes_per_month: number;
must_render_verbatim: string;
must_ask_user: { question: string; options: string[] };
forbidden_next_actions: string[];
csv_path: string | null;
data_source: 'tsdb' | 'poc_siem';
}
Envelope-level fields the agent should also read: summary.headline, actions[] (one per pattern — drill to log10x_pattern_detail), schema_epoch.