Triage
Paste a batch of events (a file, kubectl logs dump, or log analyzer export) and group them by pattern. Returns per-pattern event count, severity breakdown, template shape, and slot values (which tenants, users, or keys are affected). Privacy mode (default) keeps events on the machine; turning it off routes the batch through the public paste endpoint instead.
Example
You
triage /tmp/incident.log
Log10x
1,403 events → 27 patterns. Top:
Payment_Gateway_Timeout(412 events, ERROR), affects 4 tenants:acme-corp,globex,initech,umbrellaGetCartAsync_called_with_userId(218 events, INFO)Retry_Exhausted(174 events, WARN)
More to ask
- "triage this Slack dump" (paste events)
- "what's in
/tmp/datadog-export.json?" - "top 10 patterns from this
kubectl logsoutput"
Prerequisites
Works at any tier, including CLI-only. Privacy mode (default) runs templatization through a local Log10x engine, so events never leave the machine: either the tenx CLI 1.0.22+ (install for macOS/Linux/Windows) or a local Docker container (LOG10X_TENX_MODE=docker). When LOG10X_TENX_MODE is unset and Docker is running, Docker is auto-detected and preferred; otherwise the native tenx binary is used. The local path invokes tenx @apps/mcp over stdin/stdout, with no temp files written to disk. Earlier engines (1.0.21) work only with TENX_CONFIG and TENX_MODULES set to local clones of log-10x/config and log-10x/modules at the apps/mcp branches. See Engine compatibility.
When no patterns resolve. A zero-pattern result has two causes, and the tool names both so the right one gets fixed:
- The input was not raw log lines. The templater expects one event per line, not a pre-formatted JSON blob. Re-paste the raw lines and re-run.
- Engine and MCP output-format version skew. The local engine image emits a format this MCP build cannot parse, so even valid input returns nothing. Run
log10x_doctorto check the installed engine image version, then upgrade to a compatibletenxper Engine compatibility.
The second cause is the one to suspect when reformatting the input keeps failing: no input will resolve against a skewed engine image.
Schema and samples
Input example
Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).
Input schema
Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):
{
"type": "object",
"properties": {
"source": {
"type": "string",
"enum": [
"file",
"events",
"text"
],
"description": "Optional — auto-inferred from whichever of `events` / `text` / `path` you actually provide, so you normally do not set it. Provide explicitly only to disambiguate when more than one is present."
},
"path": {
"type": "string",
"description": "Local file path when source=file. Required for file mode."
},
"events": {
"anyOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "string"
}
],
"description": "Inline log lines: an array of lines, or a single newline-separated string (both accepted). `source` need not be set."
},
"text": {
"type": "string",
"description": "Raw text blob when source=text — newline-separated log events."
},
"top_n_patterns": {
"type": "number",
"minimum": 1,
"maximum": 50,
"default": 20,
"description": "How many patterns to return in the ranked triage."
},
"include_next_actions": {
"type": "boolean",
"default": true,
"description": "Whether to generate next_action suggestions for each top pattern."
},
"environment": {
"type": "string",
"description": "Environment nickname — used to build next_actions that call log10x_investigate."
},
"privacy_mode": {
"type": "boolean",
"default": true,
"description": "When true (default), the batch is processed by a local Log10x engine, so events never leave the machine. The engine can be a native `tenx` CLI (install for macOS/Linux/Windows: https://doc.log10x.com/install/) or a local Docker container (set `LOG10X_TENX_MODE=docker`); when the mode is unset, Docker is auto-detected and preferred, falling back to a native install. Set to false to route through the public Log10x paste Lambda instead (100 KB limit, requires network). If no local engine is available, the call surfaces a typed not_configured envelope with an install hint covering both options."
}
},
"additionalProperties": false
}
Source: src/tools/resolve-batch.ts.
Output example
Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.
Headline (the 1-line agent-facing answer):
3 events → 2 patterns, top: ERROR_payments_svc_Connection_timeout_to_db_replica at 67% of batch.
{
"schema_version": "1.0",
"schema_epoch": "2026-05-25",
"tool": "log10x_resolve_batch",
"generated_at": "2026-05-26T15:37:37.004Z",
"view": "summary",
"summary": {
"headline": "3 events → 2 patterns, top: ERROR_payments_svc_Connection_timeout_to_db_replica at 67% of batch."
},
"data": {
"input_line_count": 3,
"input_bytes": 213,
"resolved_pattern_count": 2,
"shown_pattern_count": 2,
"accounted_events": 3,
"dropped_events": 0,
"drop_rate": 0,
"execution_mode": "local_cli",
"cli_wall_time_ms": 7382,
"severity_mix": {
"ERROR": 2,
"INFO": 1
},
"overfit_warning": false,
"patterns": [
{
"rank": 1,
"template_hash": "-9ZQM#HFM!>",
"symbol_message": "ERROR_payments_svc_Connection_timeout_to_db_replica",
"template": "$(yyyy-MM-dd HH:mm:ss) ERROR payments-svc Connection timeout to db-replica$",
"event_count": 2,
"share_pct": 66.66666666666666,
"interestingness": 0.755,
"dominant_severity": "ERROR",
"severity_distribution": {
"ERROR": 2
},
"slots": [
{
"slot_index": 0,
"inferred_name": "slot_1",
"naming_confidence": "low",
"distinct_count": 1,
"top_values": [
{
"value": "-2",
"pct": 1
}
]
},
{
"slot_index": 1,
"inferred_name": "slot_0",
"naming_confidence": "low",
"distinct_count": 2,
"top_values": [
{
"value": "1779804000000",
"pct": 0.5
},
{
"value": "1779804001000",
"pct": 0.5
}
]
}
]
},
{
"rank": 2,
"template_hash": ".m<kHBV!iV",
"symbol_message": "INFO_payments_svc_Retry_attempt_succeeded",
"template": "$(yyyy-MM-dd HH:mm:ss) INFO payments-svc Retry attempt $//$ succeeded",
"event_count": 1,
"share_pct": 33.33333333333333,
"interestingness": 0.48833333333333334,
"dominant_severity": "INFO",
"severity_distribution": {
"INFO": 1
},
"slots": [
{
"slot_index": 0,
"inferred_name": "slot_0",
"naming_confidence": "low",
"distinct_count": 1,
"top_values": [
{
"value": "1779804002000",
"pct": 1
}
]
},
{
"slot_index": 1,
"inferred_name": "slot_1",
"naming_confidence": "low",
"distinct_count": 1,
"top_values": [
{
"value": "1",
"pct": 1
}
]
},
{
"slot_index": 2,
"inferred_name": "slot_2",
"naming_confidence": "low",
"distinct_count": 1,
"top_values": [
{
"value": "3",
"pct": 1
}
]
}
]
}
]
},
"actions": [
{
"tool": "log10x_event_lookup",
"args": {
"pattern": "ERROR_payments_svc_Connection_timeout_to_db_replica"
},
"reason": "look up the top pattern against the live Reporter"
},
{
"tool": "log10x_investigate",
"args": {
"starting_point": "ERROR_payments_svc_Connection_timeout_to_db_replica"
},
"reason": "causal-chain investigation on the top pattern"
}
],
"truncated": false,
"warnings": []
}
Output schema
The data block inside the StructuredOutput envelope:
interface ToolData {
input_line_count: number;
input_bytes: number;
resolved_pattern_count: number;
shown_pattern_count: number;
accounted_events: number;
dropped_events: number;
drop_rate: number;
execution_mode: string;
cli_wall_time_ms: number;
severity_mix: { ERROR: number; INFO: number };
overfit_warning: boolean;
patterns: Array<{
rank: number;
template_hash: string;
symbol_message: string;
template: string;
event_count: number;
share_pct: number;
interestingness: number;
dominant_severity: string;
severity_distribution: { ERROR: number };
slots: Array<{
slot_index: number;
inferred_name: string;
naming_confidence: string;
distinct_count: number;
top_values: Array<{
value: string;
pct: number;
}>;
}>;
}>;
}
Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).