POC status
Retrieves progress or a view of the report from a POC submit run. While in-flight returns status / progress / elapsed; on completion renders one of six views (summary, full, yaml, configs, top, pattern). On failure includes partial_report_markdown if any events were pulled before the error. The full report is always written to ${LOG10X_REPORT_DIR:-/tmp/log10x-reports}/poc_from_siem-<timestamp>.md.
Example
"show report
snap_abc123"9-section report:
- Top driver —
Payment_Gateway_Timeout$4.2K/wk → recommend Reducer cap 1.5. Reconciliation note — how the top-10 differs from Datadog's native Patterns view (different tokenizer, different sample, different ranking; ~7 of 10 typically overlap)- Cost per service — payments-svc $24K · cart-svc $18K · checkout-svc $11K · ad-svc $7K
- Projected savings — $306K/yr (Reducer filter $48K, Reducer compact $172K, Retriever offload $86K)
- Per-pattern recommendations — keep / cap / drop / archive
- Suggested filter configs — paste-ready Datadog / Splunk / ES drop rules (literal-phrase queries, not regex with
.*between tokens) 6–9. Compaction potential · risk / dependency checks · deployment paths · environment summary
More to ask
- "paste-ready Reducer YAML for top 10 from
snap_abc123" - "deep-dive on
Payment_Gateway_Timeoutfrom that POC" - "native log analyzer configs from
snap_abc123"
Prerequisites
Snapshots live in-memory per MCP process — a server restart clears them. Persist the final report path from the filesystem if you need it later.
Tool schema (advanced)
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
snapshot_id |
string | yes | — | Snapshot ID returned by POC submit. |
view |
string | no | summary |
summary (~30-line exec banner + top-5 + CTA) · full (complete 9-section ~300 lines) · yaml (Reducer mute-file entries for top N) · configs (native log analyzer exclusion configs) · top (expanded N-row drivers) · pattern (deep-dive on one pattern, requires pattern arg). |
top_n |
integer | no | varies | Rows for views that accept it. Defaults: summary=5, top=20, yaml/configs=5. 1–100. |
pattern |
string | when view=pattern | — | Pattern name to expand — pass the snake-case name from a prior view. |
In-progress responses return status (pulling / templatizing / rendering), progress_pct, step_detail, and elapsed_seconds. Each phase carries its own polling hint: pulling typically takes 1–3 min and partial patterns are not yet visible; templatizing typically takes 3–8 min and partial_patterns_found updates as patterns resolve; rendering takes <5s and the next poll should return complete.
Configs view shape. Exclusion configs render as single-phrase queries — @message:"Payment Gateway Timeout for tenant=" for Datadog, REGEX = Payment Gateway Timeout for tenant= for Splunk, etc. Pulled from the longest verbatim literal run between variable slots in the template body, so the query an admin pastes is the one they would have written by hand. Templates that begin with a variable slot prepend an "approximation" footnote because the anchor is the longest internal run, not a prefix.
Cost ranges in cost figures. When POC submit auto-detected volume via a fallback estimator (Datadog event-count × 500 B/event, CloudWatch NEVER_EXPIRE retention), every projected cost is rendered as a low-high range with a banner explaining the uncertainty.