Lookup
Paste one log line and ask "what is this, is it new, what's it costing?". Returns the pattern name, cost per service, recent cost change, first-seen date, and a suggested action (keep / reduce / filter). For CLI-only mode without a deployed Reporter, use Triage instead.
Example
You
what is this: ERROR Payment_Gateway_Timeout user_id=abc123 took=5021ms
Log10x
Matches Payment_Gateway_Timeout. ERROR severity. $4.2K/wk in payments-svc, up from $200/wk over 14 days. First seen 14 days ago. Suggested action: cap with the Receiver.
More to ask
- "is
Retry_Backoff_Exhaustednew?" - "safe to drop
DEBUG /healthz?" - "what's
GetCartAsync_called_with_userIdcosting us?"
Prerequisites
This tool requires the Reporter deployed for live pattern lookup. In CLI-only mode use Triage instead.
Schema and samples
Input example
Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"pattern": {
"type": "string",
"description": "Pattern name or search term to look up (e.g., \"Payment_Gateway_Timeout\"). Omit when passing `pattern_hash` / `tenxHash` instead."
},
"pattern_hash": {
"type": "string",
"description": "Canonical 11-char hash seen on a SIEM / CloudWatch Logs event (e.g. \"03ndjreM-sU\"). Alias of `tenxHash`; both are accepted. Resolved against the 10x metrics to recover the pattern, then the normal cost/services breakdown is shown."
},
"tenxHash": {
"type": "string",
"description": "Legacy alias of `pattern_hash`. Both are accepted. Pass either the canonical `pattern_hash` form or this legacy form — they are treated identically."
},
"service": {
"type": "string",
"description": "Service to scope the lookup"
},
"timeRange": {
"type": "string",
"enum": [
"15m",
"1h",
"6h",
"24h",
"1d",
"7d",
"30d"
],
"default": "7d",
"description": "Time range. Sub-day values for incident-window lookups. '24h' and '1d' are equivalent."
},
"analyzerCost": {
"type": "number",
"description": "SIEM ingestion cost in $/GB (deprecated alias of `effective_ingest_per_gb`)"
},
"effective_ingest_per_gb": {
"type": "number",
"description": "Customer-supplied SIEM ingest cost in $/GB. When set, dollar fields populate with rate_source=customer_supplied; when absent and no list rate is detected, dollar fields collapse to null and rate_source=unset."
},
"siemScope": {
"type": "string",
"description": "SIEM scope for the live sample line on a tenxHash reverse lookup: a CloudWatch log group (`/aws/ecs/my-svc`), ES index, or Splunk index. When omitted, the detected SIEM connector uses its own default scope. Only consulted when `tenxHash` was passed (the cross-pillar correlation case)."
},
"environment": {
"type": "string",
"description": "Environment nickname"
}
},
"additionalProperties": false
}
Source: src/tools/event-lookup.ts.
Output example
Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.
Headline (the 1-line agent-facing answer):
Payment\_Gateway\_Timeoutover last 1h: $4.20 across 3 services (12,418 events, 1.4 MB)
{
"schema_version": "1.0",
"schema_epoch": "2026-05-25",
"tool": "log10x_event_lookup",
"generated_at": "2026-05-26T00:00:00.000Z",
"view": "summary",
"summary": {
"headline": "`Payment_Gateway_Timeout` over last 1h: $4.20 across 3 services (12,418 events, 1.4 MB)"
},
"data": {
"pattern": "Payment_Gateway_Timeout",
"window": "last 1h",
"totals": {
"cost_per_window_usd": 4.2,
"events": 12418,
"bytes": 1417882,
"service_count": 3,
"severity_count": 1
},
"by_service": [
{
"service": "payments-svc",
"events": 9210,
"bytes": 1041208,
"cost_per_window_usd": 3.08,
"pct_of_total": 73.4
},
{
"service": "checkout-svc",
"events": 2444,
"bytes": 276382,
"cost_per_window_usd": 0.82,
"pct_of_total": 19.5
},
{
"service": "ad-svc",
"events": 764,
"bytes": 100292,
"cost_per_window_usd": 0.3,
"pct_of_total": 7.1
}
],
"by_severity": [
{
"severity": "ERROR",
"events": 12418,
"pct_of_total": 100
}
],
"first_seen_iso": "2026-05-25T03:11:00Z",
"ai_classification": {
"category": "error",
"recommended_action": "reduce",
"confidence": "medium",
"reasoning": "high-volume ERROR-severity pattern concentrated in one service"
}
},
"actions": [
{
"tool": "log10x_pattern_trend",
"args": {
"pattern": "Payment_Gateway_Timeout",
"timeRange": "24h"
},
"reason": "check if this pattern is rising — service share 73% in payments-svc warrants temporal context"
},
{
"tool": "log10x_dependency_check",
"args": {
"pattern": "Payment_Gateway_Timeout",
"vendor": "datadog"
},
"reason": "before recommending mute/sample, check for dashboard/alert references"
},
{
"tool": "log10x_pattern_mitigate",
"args": {
"pattern": "Payment_Gateway_Timeout"
},
"reason": "12K events/hour with ERROR severity — surface the env-gated mitigation options"
}
],
"render_hint": {
"chart": "bar",
"units": "events"
},
"truncated": false,
"warnings": []
}
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
pattern: string;
window: string;
totals: { cost_per_window_usd: number; events: number; bytes: number; service_count: number; severity_count: number };
by_service: Array<{
service: string;
events: number;
bytes: number;
cost_per_window_usd: number;
pct_of_total: number;
}>;
by_severity: Array<{
severity: string;
events: number;
pct_of_total: number;
}>;
first_seen_iso: string;
ai_classification: { category: string; recommended_action: string; confidence: string; reasoning: string };
}
Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).