POC submit
Kick off a full log-cost POC against the user's log analyzer. Pulls a representative sample, groups by pattern, and renders a 9-section markdown report covering top cost drivers, Reducer recommendations, ready-to-paste native log analyzer exclusion configs, compaction potential, risk / dependency checks, and deployment paths. Returns a snapshot_id — poll POC status for progress and the final report. Defaults to local processing — events stay on the machine.
Example
"cost POC on our production Datadog, 7d window"
Pulling ~250K-event sample from Datadog. Returned
snapshot_id=snap_abc123. ETA 2–3 min.Auto-detected daily volume: 1.2 TB/day · auto-detected $/GB: $2.50 · pull window: 7d.
Phases:
pulling(1–3 min) →templatizing(3–8 min) →rendering(<5s) →complete. Poll POC status every ~30s;partial_patterns_foundstops growing when render is close.Report will land at
/tmp/log10x-reports/poc_from_siem-snap_abc123.md.
More to ask
- "POC against
/aws/ecs/checkout-svcCloudWatch log group, level=ERROR" - "cost POC on Splunk index
main, 30d" - "Elasticsearch POC, no auto-volume probe, override 500GB/day"
Prerequisites
No Log10x API key required. Privacy mode (default) needs tenx (CLI, brew install log10x/tap/tenx) installed locally.
Tool schema (advanced)
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
siem |
string | no | auto-detect | Target log analyzer: cloudwatch, datadog, sumo, gcp-logging, elasticsearch, azure-monitor, splunk, clickhouse. Auto-detected from ambient env vars when omitted. |
scope |
string | no | — | Resource scope, vendor-specific. CloudWatch: log group / wildcard. Datadog: index. Splunk: index. GCP: project id. ES: index pattern. Azure: workspace id. Sumo: _sourceCategory. ClickHouse: database. |
query |
string | no | — | Native filter expression on top of scope, vendor syntax. |
window |
string | no | 7d |
Pull window. Accepts 1h, 24h, 7d, 30d. |
target_event_count |
number | no | 250000 |
Target event count. 1000–2000000. |
max_pull_minutes |
number | no | 5 |
Hard cap on pull wall-time. 1–60. |
auto_detect_volume |
boolean | no | true |
Probe the log analyzer for total daily volume. CloudWatch: describeLogGroups ÷ retention. Datadog: Usage API. Elasticsearch: _stats. Splunk: license API. Sumo: Account Usage API. Azure: Usage KQL. GCP: Cloud Monitoring. ClickHouse: system.parts. Falls back to scenario brackets if creds lack scope. |
total_daily_gb |
number | no | — | Override daily volume. |
total_monthly_gb |
number | no | — | Override monthly volume. |
total_annual_gb |
number | no | — | Override annual volume. |
analyzer_cost_per_gb |
number | no | from vendors.json | Override the $/GB rate. |
ai_prettify |
boolean | no | true |
Ask the host LLM to generate human-readable names for top patterns via MCP sampling. Sends only the pattern shape, never the raw log content. |
privacy_mode |
boolean | no | true |
Local tenx vs. public paste endpoint. Keep true for production log content. |
clickhouse_table |
string | when siem=clickhouse | — | Required for ClickHouse. |
clickhouse_message_column |
string | no | auto | ClickHouse message column. |
clickhouse_timestamp_column |
string | no | auto | ClickHouse timestamp column. |
clickhouse_service_column |
string | no | — | Optional service column. |
clickhouse_severity_column |
string | no | — | Optional severity column. |
environment |
string | no | — | Cosmetic — for the report header. |
Pull stops at whichever ceiling hits first: target_event_count, max_pull_minutes, or end of window.
Sampling. The pull spreads across 12–24 randomized sub-windows of the parent window so two POC runs draw different slices. Per-vendor: Datadog / Elasticsearch / CloudWatch use 24 buckets; Splunk uses 12 to stay under the per-user concurrent-search cap.
Cost ranges when volume is estimated. When auto_detect_volume falls back to an event-count × 500 B/event approximation (Datadog accounts whose App key lacks usage_read scope) or a NEVER_EXPIRE retention assumption (CloudWatch groups without retention set), every cost figure is rendered as a range — $3.8K – $15.2K/yr — instead of a misleading single number. The exact number returns when the byte-precise endpoint is reachable.
Reconciliation note. The report includes a section explaining how its top-10 differs from the log analyzer's native pattern view (Datadog Logs Patterns, Splunk cluster, Elastic ML categorization, CloudWatch Insights pattern). Different tokenizers and different samples produce different lists; the section calls out the typical 7-of-10 overlap so the SRE doesn't read the mismatch as a bug.
Defensive event extraction. Custom-format Datadog ingests where the body lives under attributes.attributes.* instead of attributes.message resolve through a fall-through chain so the templater never fingerprints a phantom undefined pattern. Skipped events are reported as a count in the pull metadata.
Templater drop warning. When the engine-side templater silently drops input lines (multi-line stack traces, event-boundary crossings), the report banner reports the missing-events count plus the drop ratio — gated to inputs above 50 lines because tiny batches lose lines for legitimate template-overfitting reasons.