# Loggly MCP

> Loggly (Cloud Log Management API) lets your agent search, ingest, and analyze logs directly. You can execute complex Lucene searches, send bulk or single events, and list metadata fields—all from a chat interface without leaving your workflow.

## Overview
- **Category:** devops-cicd
- **Price:** Free
- **Tags:** logging, analytics, lucene-search, cloud-monitoring, log-analysis

## Description

**Loggly Cloud Log API MCP Server - Search & Analyze Logs**

Yo, forget jumping between dashboards just to check what broke. This server gives your AI client direct access to Loggly's full log system. You use it like another data source—you run complex queries and pull logs straight into the chat interface without ever leaving your workflow.

### Sending Logs (Ingestion)

Your agent handles putting event data *into* Loggly. If you need to send a single, multi-line event, `send_event` takes care of it; it supports JSON format and has a 1MB limit. For big chunks, use `send_bulk_events`; that function lets you dump large batches of line-separated logs, up to a 5MB max size. 

### Searching and Pulling Logs (Retrieval)

You don't just search; you run sophisticated queries. To start a complex search across your massive log dataset, you call `search_events`. This function uses Lucene syntax—you gotta know what that is—and it runs asynchronously, giving you a result ID (`rsid`). Once you have the `rsid`, you use `get_events` to actually fetch the paginated results; remember, that only pulls up to 5,000 events. If you need to dive deeper into the data associated with those logs, `get_field_values` helps by calculating and returning value counts for any specific field in your log set, letting you map out exactly how often certain values pop up.

### Analyzing Metadata (Schema Mapping)

Figuring out what's even in your logs can be a headache. You don't gotta guess. `list_fields` gives you a clean list of every unique field that exists across your whole Loggly dataset. To understand data distribution better, you use `get_field_values` again; this function lets you target one specific field and get a breakdown of all the common values associated with it.

### Managing System Data (Account Audit)

It's not just about logs—you can manage user stuff too. To check out basic account details, including your subscription limits or customer ID, call `get_customer_info`. If you need a headcount of who's using the system, `list_users` provides a plain text roster of all currently active users and what roles they've got assigned.

***

*The whole process works like this:* Your agent runs an operation—say, it calls `search_events` with your Lucene query. Loggly processes that request and returns the result ID. You then pass that specific `rsid` to `get_events`, which retrieves the log data. It's a structured handshake. If you wanna dump logs, you use `send_bulk_events`. If you gotta check who can access the system, you call `list_users`. Every tool serves one direct purpose: making sure your AI client has all the raw data it needs to operate without leaving the chat window.

## Tools

### get_customer_info
Retrieves basic account details, including subscription limits and customer identification data.

### get_events
Fetches the actual log events (up to 5,000) using a search result ID (rsid).

### get_field_values
Calculates and returns value counts for a specified field in your logs, helping you understand data distribution.

### list_fields
Returns a list of all unique fields that exist across your entire Loggly dataset.

### list_users
Provides a plain text roster of currently active users within the organization and their assigned roles.

### search_events
Initiates an asynchronous, complex search query across your logs using Lucene syntax, returning a result ID (rsid).

### send_bulk_events
Sends large batches of line-separated log events to Loggly; the batch size limit is 5MB.

### send_event
Sends a single or multiline event, supporting JSON format if specified. The max size is 1MB.

## Prompt Examples

**Prompt:** 
```
Search for all logs containing 'error' in the last 4 hours.
```

**Response:** 
```
I've initiated a search for 'error' from the last 4 hours. The Result Set ID is `123456789`. I'll now fetch the events for you...
```

**Prompt:** 
```
Send a JSON log event with tag 'production' saying {'status': 'ok', 'service': 'api'}.
```

**Response:** 
```
Successfully sent the JSON event to Loggly with the 'production' tag. The response was 'ok'.
```

**Prompt:** 
```
List all active users and their roles in my Loggly account.
```

**Response:** 
```
I've retrieved the user list. You have 3 active users: 'admin_user' (Role: Administrator), 'dev_user' (Role: User), and 'audit_bot' (Role: Read-Only).
```

## Capabilities

### Send log events
Sends single, multiline, or large batches of event data directly into Loggly for indexing.

### Search and retrieve logs
Initiates an asynchronous search query using Lucene syntax and fetches paginated results based on the resulting ID (rsid).

### Analyze log metadata
Lists all available fields in your log data or gets value counts for a specific field to map out common values.

### Manage user accounts
Retrieves organizational details, including customer information and a list of active users with their assigned roles.

## Use Cases

### Debugging a sudden API failure
A user reports a payment error. You use your agent to first run `search_events` for 'payment' errors in the last 30 minutes. The resulting rsid is fed into `get_events`. Then, you call `get_field_values` on the 'error_code' field to see if there are patterns pointing toward a specific failing service.

### Verifying new feature logs
You just deployed a new checkout flow. Instead of waiting for production traffic, you use `send_bulk_events` to push 100 simulated user events into Loggly. You then run `search_events` on those specific test tags to confirm the data arrived and indexed correctly.

### Compliance and role checks
The security team requires an audit of who has write access. The agent runs `list_users`, providing a list of every active user. You then use `get_customer_info` to verify the overall subscription status and limits.

### Finding performance bottlenecks
You suspect slowness around midnight. You execute an advanced search targeting timestamps between 11 PM and 1 AM. By analyzing the log count returned from `get_events` across that window, you can pinpoint when the system load spiked.

## Benefits

- Pinpoint failures faster. Instead of manually filtering through dashboards, use `search_events` to run complex Lucene queries for specific error codes or user IDs, immediately narrowing down millions of events.
- Understand your data structure instantly. If you aren't sure what fields exist in the logs, call `list_fields`. Then use `get_field_values` to count how often common values appear—no guesswork needed.
- Test code live from chat. When developing, use `send_event` or `send_bulk_events` to push test data directly into Loggly and watch it appear in the search results as if a real user triggered it.
- Audit your system access. Need to know who can see what? Use `list_users` to get a clear roster of every active account and their associated permissions, which is critical for compliance checks.
- Consolidate workflows. You don't leave the terminal. Your agent handles the entire loop: Query -> Get ID (`search_events`) -> Retrieve Data (`get_events`). It’s one continuous operation.

## How It Works

The bottom line is: You get structured, actionable log results without leaving your chat or terminal interface.

1. Subscribe to the server and provide your Loggly Subdomain, API Token, and Customer Token.
2. Ask your agent client to perform an action (e.g., 'Find all logs with status 500 in the last hour').
3. The agent executes the necessary tool calls (`search_events` -> `get_events`) and presents you with the filtered log data.

## Frequently Asked Questions

**How do I find a specific error using search_events?**
You execute `search_events` with Lucene syntax specifying keywords, like 'error' or 'status 500'. This doesn't give you the logs; it gives you a unique Result Set ID (`rsid`).

**What is get_field_values used for?**
You use `get_field_values` when you need to understand what values exist in a log field. For example, if 'service' is a field, this tells you every service name that logged an event.

**Can I send test logs using send_event?**
Yes. `send_event` sends a single or multiline event. Use it when simulating one specific log entry, and remember to specify if your data is JSON.

**How do I check who has access to the logs using list_users?**
Run `list_users`. This tool retrieves a roster of every active user account in the Loggly organization, detailing their assigned roles (e.g., Read-Only, Administrator).

**If I need to check my API usage limits or subscription details, what tool should I use? (Using get_customer_info)**
You call `get_customer_info` immediately. This retrieves your account details, including current subscription tiers and any hard rate limits imposed by Loggly. It's the first step to understanding your operational capacity.

**What is the maximum data size I can send when using send_bulk_events? (Using send_bulk_events)**
The `send_bulk_events` tool supports batches up to 5MB, provided your event data is line-separated. If you exceed this limit, you must break the input into smaller chunks and run multiple calls.

**How do I retrieve a large set of search results after running search_events? (Using get_events)**
You can't fetch everything at once. After `search_events` runs, it gives you a Result Set ID (rsid). You then pass this rsid to the `get_events` tool to pull the actual logs in paginated batches.

**What happens if I send bad or malformed log data with send_event? (Using send_event)**
The API will return an error code detailing the structure failure. If you're sending JSON, make sure to set `is_json=true` and validate your payload first. This prevents indexing errors.

**How do I search for logs and see the results?**
Searching is a two-step process: first, use `search_events` with your Lucene query to get a Result Set ID (rsid). Then, use `get_events` with that rsid to retrieve the actual log data.

**Can I send JSON logs directly from the AI?**
Yes! Use the `send_event` tool and set `is_json` to true. You can pass a JSON string in the `event_data` field, and Loggly will parse it as a structured object.

**How can I see which fields are most common in my logs?**
You can use `list_fields` to see all available fields, or use `get_field_values` with a specific field name to get a count of the top values (faceting) for that field.