Skip to content

Product Q&A

Answers a product question about Log10x from the documentation that ships inside the MCP build. The corpus under config/mksite/docs/ is the source of truth, so factual questions ("what is the Receiver", "what data leaves my network", "how is pattern identity computed") get a grounded answer in one tool call instead of an answer recalled from model training.

There are two ways to ask:

  • query: a natural-language question. Runs a TF-IDF search across the corpus and returns the best-matching pages.
  • topic: an exact docs slug (e.g. faq/security/data-protection). Bypasses search and returns that page directly. When the slug does not exist, the tool returns a "did you mean" list of the nearest slugs.

Optional category (faq, apps, engine, api, config, manage) narrows a query to one section. Optional max_results caps how many pages a query returns (default 3).

The depth argument controls how much comes back:

  • depth: "short" (default) returns one tight grounded answer plus citation metadata for each matched page (topic + canonical_url + heading, no section bodies). Each citation comes with a learn_more action in actions[] that the agent can fire to read that page in full.
  • depth: "full" returns the matched section bodies for one page. It is requested by passing the learn_more action verbatim (its topic plus depth: "full"), so the chain lands on exactly one page at a time.

Example

You

what data leaves my network when I run 10x?

Log10x

The Receiver runs inside your cluster. Raw log bodies are fingerprinted into a stable pattern identity locally; only the pattern metrics and the events you choose to keep are forwarded to your SIEM. Events routed to offload land in a bucket you own.

Source: docs.log10x.com/faq/security/data-protection/

(Want the full section? I can pull the whole page.)

More to ask

  • "what is the Receiver?"
  • "how is a pattern's identity computed?"
  • "does the Reporter modify my data?"
  • "read the full data-protection page"

Prerequisites

None. The corpus ships inside the MCP build, so this tool needs no environment, TSDB, or SIEM connection. It works in every boot mode.

Schema and samples

Input schema

Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):

{
  "type": "object",
  "properties": {
    "topic": {
      "type": "string",
      "description": "Exact docs slug to fetch. Example: \"faq/security/data-protection\" or \"apps/receiver\". When provided, bypasses search and returns the page directly."
    },
    "query": {
      "type": "string",
      "description": "Natural-language query. Examples: \"what data leaves my network\", \"how is pattern identity computed\", \"does the Reporter modify data\". Ignored when `topic` is set."
    },
    "category": {
      "type": "string",
      "description": "Restrict results to one category. One of: faq, apps, engine, api, config, manage. Combines with `query`."
    },
    "max_results": {
      "type": "integer",
      "minimum": 1,
      "maximum": 20,
      "description": "Cap on the number of results returned. Default 3."
    },
    "depth": {
      "type": "string",
      "enum": [
        "short",
        "full"
      ],
      "description": "Response detail. \"short\" (default) returns a tight grounded answer plus citation metadata (topic + canonical_url, no section bodies) and offers a chained learn_more action per citation. \"full\" returns the matched section bodies for one specific page and is requested via the learn_more action the short response hands back (pass that action verbatim: `topic` + `depth: \"full\"`)."
    }
  },
  "additionalProperties": false
}

At least one of topic or query must be present. When both are omitted the tool returns an input_invalid error.

Source: src/tools/product-qa.ts.

Output schema

The data block inside the StructuredOutput envelope. The short default carries answer + citations; depth: "full" and no-match responses carry results instead.

interface ToolData {
  found: boolean;
  // Short default (depth='short'): one grounded answer + citation metadata.
  answer?: string;
  citations?: Array<{
    topic: string;          // docs slug, e.g. "faq/security/data-protection"
    category: string;       // faq | apps | engine | api | config | manage
    canonical_url: string;  // public docs URL the agent cites to the user
    heading: string;        // section heading the answer was drawn from
  }>;
  // Full mode (depth='full') and no-match: ranked matched pages.
  results?: Array<{
    topic: string;
    category: string;
    canonical_url: string;
    summary: string;
    matched_chunks: Array<{
      heading: string;
      text: string;
      chunk_id: string;
      section_index: number;
    }>;
    score: number;
  }>;
  // On no-match: up to 5 nearest topic slugs as a "did you mean" hint.
  similar_topics?: string[];
  resolved_mode: 'topic' | 'query' | 'none';
  corpus_source: string;    // which shipped corpus answered the call
}

Envelope-level fields the agent should also read: summary.headline, actions[] (in the short default, one learn_more action per citation, each carrying that page's topic + depth: "full"), schema_epoch.

Next: POC