POC status
After POC submit returns a snapshot_id, poll for progress or pull a specific view of the final report. Returns status (pulling, templatizing, rendering) while in-flight; on completion renders one of six views (summary, full, yaml, configs, top, pattern). The full report is written to ${LOG10X_REPORT_DIR:-/tmp/log10x-reports}/poc_from_siem-<timestamp>.md.
Example
You
show report snap_abc123
Log10x
9-section report:
- Top driver:
Payment_Gateway_Timeout$4.2K/wk → recommend Receiver cap 1.5. Reconciliation note: how the top-10 differs from Datadog's native Patterns view (different tokenizer, different sample, different ranking; ~7 of 10 typically overlap) - Cost per service: payments-svc $24K · cart-svc $18K · checkout-svc $11K · ad-svc $7K
- Projected savings: $306K/yr (Receiver filter $48K, Receiver compact $172K, Retriever offload $86K)
- Per-pattern recommendations: keep / cap / drop / archive
- Suggested filter configs: paste-ready Datadog / Splunk / ES drop rules (literal-phrase queries, not regex with
.*between tokens) 6–9. Compaction potential · risk / dependency checks · deployment paths · environment summary
More to ask
- "paste-ready Receiver YAML for top 10 from
snap_abc123" - "deep-dive on
Payment_Gateway_Timeoutfrom that POC" - "native log analyzer configs from
snap_abc123"
Prerequisites
Snapshots live in-memory per MCP process — a server restart clears them. Persist the final report path from the filesystem if you need it later.
Schema and samples
Input example
Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"snapshot_id": {
"type": "string",
"description": "Snapshot id returned by log10x_poc_from_siem_submit."
},
"view": {
"type": "string",
"enum": [
"summary",
"full",
"yaml",
"configs",
"top",
"pattern",
"markdown"
],
"default": "summary",
"description": "How to surface the report. Default `summary` returns the v2 structured envelope (`data.result` carries the full JSON: input section with scale + methodology + coverage, output section with aggregates, incidents, per-pattern actions). The agent reads this directly and writes prose in its own voice — no rendered markdown is included in the summary path. Use `markdown` to receive the rendered 9-section markdown report (legacy / human-readable surface). `yaml` returns paste-ready receiver mute-file entries; `configs` returns native SIEM exclusion configs; `top` returns an expanded N-row drivers markdown; `pattern` deep-dives on one identity (requires `pattern` arg). `full` is kept as an alias for `markdown`."
},
"pattern": {
"type": "string",
"description": "Required when view=\"pattern\". The snake_case pattern identity to expand. Pass the raw identity as printed in prior views."
},
"top_n": {
"type": "integer",
"minimum": 1,
"maximum": 100,
"description": "Number of rows for views that accept it (`top`, `yaml`, `configs`, `summary`). Defaults: summary=5, top=20, yaml/configs=5."
}
},
"required": [
"snapshot_id"
],
"additionalProperties": false
}
Source: src/tools/poc-from-siem.ts.
Output example
Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.
Headline (the 1-line agent-facing answer):
POC complete for snapshot_id b27c9a4f (summary view).
{
"schema_version": "1.0",
"schema_epoch": "2026-05-25",
"tool": "log10x_poc_from_siem_status",
"view": "summary",
"summary": {
"headline": "POC complete for snapshot_id b27c9a4f (summary view)."
},
"data": {
"snapshot_id": "b27c9a4f-...",
"status": "complete",
"progress_pct": 100,
"step_detail": "rendering complete",
"elapsed_seconds": 224,
"view_rendered": "summary",
"report_file_path": "/tmp/log10x-reports/poc_from_siem-2026-05-26.md",
"report_markdown": "# Log10x POC — CloudWatch sample\n\n..."
},
"generated_at": "2026-05-26T00:00:00.000Z"
}
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
snapshot_id: string;
status: string;
progress_pct: number;
step_detail: string;
elapsed_seconds: number;
view_rendered: string;
report_file_path: string;
report_markdown: string;
}
Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).