Series
Builds a time series (counts per bucket, optionally broken down by a label) from the Retriever archive over any window. Small queries return exact counts. High-volume or long-window queries return sampled estimates — the shape and the ranking of top values stay accurate, individual bucket counts become approximate.
Example
"30d baseline of
Payment_Retry, hourly, by tenant"720 hourly buckets, broken down by tenant. The window holds ~8B events — too many to count exactly, so per-bucket numbers are sampled estimates. Series shape and the tenant ranking are reliable.
Top tenants: acme-corp 41% · globex 28% · initech 18% · umbrella 13%.
More to ask
- "force exact counts on a 6h window of
Auth_Failed" - "hourly
Retry_Exhaustedlast 7d, by service" - "sampled at 200 events per sub-window, last week"
Prerequisites
This tool requires the Retriever deployed. The Reporter is optional — without it, mode selection falls back to a window-length heuristic.
Tool schema (advanced)
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
from |
string | yes | — | Start of the query window. ISO8601, epoch millis, or relative (now-1h, now-30d). |
to |
string | no | now |
End of the query window. |
search |
string | no | — | Bloom-filter search expression. Pattern-bound expressions (tenx_user_pattern == "X") let the Reporter volume signal kick in. |
filters |
string[] | no | — | In-memory JS filters applied after Bloom fetch. AND-combined. |
bucket_size |
string | no | 5m |
Time bucket size: 1m, 5m, 1h, 1d. |
group_by |
string | no | — | Field to break the series down by. Top-1000 values retained, the rest collapsed to _other_. Dotted paths supported for nested fields. |
fidelity |
string | no | auto |
auto, full, per_window_sampled, or per_window_sampled:K. |
target |
string | no | __SAVE_LOG10X_RETRIEVER_TARGET__ |
Target app prefix. |
environment |
string | no | — | Environment nickname (multi-env). |
Mode selection — picked from Reporter volume data:
| Inputs | Mode | Why |
|---|---|---|
| Reporter has the metric, estimated events ≤ 50M and fetch ≤ 10 GB | full |
The query fits within budget. |
| Reporter has the metric, estimate exceeds the threshold | per_window_sampled |
Run N parallel sub-window queries, K events each. |
| Reporter has the metric, estimate exceeds 10B events / 100 GB | refused |
Refuses the query and suggests how to narrow it. |
| Reporter has no per-pattern signal, window ≤ 4h | full |
Falls back to window length. Counts are exact. |
| Reporter has no per-pattern signal, window > 4h | per_window_sampled |
Without volume data, assume the worst case. |
Sub-window count N: per-day for ≥ 7d (cap 60), per-hour for 1d–7d (cap 60), per-15min for < 1d.