# Sumo Logic MCP

> Sumo Logic connects your AI agent directly to your log and metrics infrastructure. It lets you run complex searches, monitor collector health, and manage data sources—all through natural conversation. You stop jumping between dashboards; your agent does the work.

## Overview
- **Category:** cloud-infrastructure
- **Price:** Free
- **Tags:** logs, metrics, siem, observability, devops

## Description

**Your AI agent connects straight to your Sumo Logic data stack.** You're done jumping between dashboards and running command-line scripts; you just talk to your agent, and it handles all the heavy lifting—the log analysis, the performance checks, and even managing the infrastructure itself. It’s like having a dedicated Site Reliability Engineer sitting right next to you.

**Managing Data Collectors**

You can keep tabs on every data pipeline running in your account. If you need to see what collectors are up and humming, use `list_collectors`. Need details on one specific collector? Run `get_collector` with its ID. You'll want to adjust a setup? Use `update_collector`. And if that whole data stream is garbage and needs to be cut out, you can delete the entire instance using `delete_collector`. For building new pipes, you start by running `create_hosted_collector`, which spins up a cloud-managed collector ready for immediate data ingestion.

**Controlling Data Sources (Sources)**

The sources are what actually flow into your platform. You can see all the currently active data streams in one go using `list_sources`. If you need to check out the specific setup of a single source, use `get_source`. To get that data flowing from somewhere new, run `create_source` and add it to an existing collector. Want to tweak how a source is configured? Use `update_source` to change its settings. And if a data stream is causing trouble or you just need to cut it loose, you can use `delete_source`, which stops the log flow immediately.

**Running Searches and Queries**

When you need information, this server gives your agent serious power. If you're looking for a deep dive—say, all 'connection timeout' errors from last week—you don't want to wait forever in the chat window. You start an asynchronous job with `create_search_job`. This tool kicks off a massive log search that runs in the background. You can then check on its progress using `get_search_job_status`; it tells you if the job is still running or if it's finished up. Once it's done, you get two ways to pull the data: use `get_search_job_messages` to grab every single raw log entry, or run `get_search_job_records` for an aggregated summary of what happened.

If the search job is going sideways and you gotta stop it, just use `delete_search_job`. For checking system health—the kind of real-time performance data that's time-series stuff—you run a query using `execute_metrics_query` right in your conversation. It pulls current metrics without you leaving the chat window.

**Managing Users and Access Control**

Security’s key, so here’s how you manage who can access the logs and metrics. To see every account registered on the platform, run `list_users`. If you need to set up a new teammate, use `create_user` to make their account. Need to turn someone off or remove an old profile? You've got `delete_user` for that. These tools let your agent manage permissions right down to the user level.

**The Bottom Line**

This whole setup turns your AI client into a full-stack log engineer. It lets you execute complex searches, monitor collectors, control data sources, and handle users—all without ever touching an API script or switching tabs.

## Tools

### create_hosted_collector
Creates a new, cloud-managed collector instance for data ingestion.

### create_search_job
Starts an asynchronous job to run a deep log search query that needs time to process.

### create_source
Adds a new data source (log stream) into an existing collector.

### create_user
Creates a new user account within the Sumo Logic organization for access control.

### delete_collector
Removes an entire data collector instance from your environment.

### delete_search_job
Cancels a running search job to free up concurrent processing slots.

### delete_source
Removes a data source from a collector, stopping its log flow.

### delete_user
Deactivates or removes a user account from the organization.

### execute_metrics_query
Runs a query to retrieve time-series data for monitoring system performance and health metrics.

### get_collector
Retrieves specific details about one collector using its ID.

### get_search_job_messages
Fetches the raw, individual log messages from a search job once it's finished.

### get_search_job_records
Retrieves aggregated records (metrics/summary) after a completed search job runs.

### get_search_job_status
Checks the current status of an asynchronous log search job to see if it's running or finished.

### get_source
Retrieves specific details about a single data source within a collector.

### list_collectors
Lists all installed and hosted collectors currently running in your account.

### list_sources
Provides a list of all available data sources within a specific collector.

### list_users
Lists every user account currently registered in the organization.

### update_collector
Modifies settings for an existing data collector instance.

### update_source
Changes configuration details for a specific data source.

## Prompt Examples

**Prompt:** 
```
List all my Sumo Logic collectors.
```

**Response:** 
```
I've retrieved your collectors. You have 3 active collectors: 'Prod-Receiver' (ID: 1023), 'Staging-Logs' (ID: 1024), and 'Cloud-Hosted' (ID: 1025).
```

**Prompt:** 
```
Search for 'error' in logs for the last 15 minutes.
```

**Response:** 
```
I've initiated a search job (ID: job_98765). I will poll the status and let you know when the results are ready.
```

**Prompt:** 
```
Get the records for search job ID job_98765.
```

**Response:** 
```
The search job is complete. I found 12 records matching 'error'. Most common message: 'Connection timeout at 10.0.0.1'.
```

## Capabilities

### Run Asynchronous Log Searches
Starts a deep search job and tracks its status, allowing you to retrieve large volumes of historical logs.

### Execute Performance Metrics Queries
Runs real-time time-series queries against system metrics to check performance and health indicators.

### Manage Data Collectors
List, create, update, or delete the core collectors that ingest data into your platform.

### Control Data Sources
List and manage specific data streams (Sources) within a collector to ensure proper log flow and visibility.

### Manage Users & Access Control
View, create, or delete user accounts to control who can access the platform's logs and metrics.

## Use Cases

### Investigating a Production Outage
The service went down. You don't know where to look. Your agent runs `list_collectors` first, confirming all data pipelines are up. Next, it uses `create_search_job` to search for 'FATAL ERROR' logs from the last hour. Finally, you use `get_source` on a specific collector to narrow down which application stream failed.

### Auditing User Access
Security needs to know who has access. Instead of navigating user roles and permissions, you ask the agent to run `list_users`. If an old contractor account remains active, you use `delete_user` right from your chat client.

### Scaling Data Ingestion
A new service is deployed that needs logging. You tell the agent it's coming online. It uses `list_sources` to check existing collectors, then runs `create_hosted_collector` and `create_source`, ensuring the data flow starts correctly without manual setup.

### Checking System Health Before Deployment
Before pushing a new build, you need to know if the system can handle the load. Your agent uses `execute_metrics_query` to check CPU usage and latency over the last 24 hours. If the metrics look stable, you greenlight the deployment.

## Benefits

- Eliminate context switching. Instead of jumping between the metrics dashboard, log search UI, and collector management page, your AI client handles it all in one chat session. Need to check a metric *and* find the logs that caused it? Just ask.
- Deep dive into history without writing complex queries. You can use `create_search_job` to run massive searches spanning weeks of data, then rely on `get_search_job_records` to get clean, aggregated results instantly.
- Maintain your pipeline from the chat window. Need to add a new log stream? Use `list_sources` first, and if it's missing, tell your agent to run `create_source`—all without logging into the web UI.
- Real-time operational visibility. Check system performance metrics on the fly using `execute_metrics_query`. This lets you catch resource spikes immediately when troubleshooting an incident, instead of waiting for a separate monitoring tool update.
- Full lifecycle control. Managing infrastructure used to mean multiple API calls or clicking through menus. Now you can list (`list_collectors`), modify (`update_collector`), and clean up (`delete_collector`) entire components via simple commands.

## How It Works

The bottom line is: your AI client acts as an intermediary that translates natural language requests into structured API tool calls for log analysis and infrastructure management.

1. Subscribe to this server and provide your Sumo Logic Access ID, Access Key, and API URL.
2. Your AI client uses these credentials to communicate with the log platform's APIs.
3. You ask a question (e.g., 'Show me all 500 errors from last night'), and the agent calls the necessary tools, returns data, or reports status.

## Frequently Asked Questions

**How do I check if my search job is finished using get_search_job_status?**
Run `get_search_job_status` and pass the ID from your initial search. The response will tell you if the status is 'RUNNING', 'FAILED', or 'COMPLETED'. You need to wait until it says 'COMPLETED' before retrieving results.

**Can I list all my collectors using list_collectors?**
Yes, `list_collectors` returns a list of every installed and hosted collector by ID. This is the first step if you need to know which data pipelines are active in your account.

**What's the difference between get_search_job_messages and get_search_job_records?**
They give different outputs: `get_search_job_messages` gives you the raw, individual log lines. `get_search_job_records` provides aggregated data or summary records from that search job.

**Do I need to use create_source before running a query?**
No, but if your logs are missing, you first need to check `list_sources` and then use `create_source` if the data stream isn't set up. Queries only work on existing sources.

**What credentials do I need when running a job with `create_search_job`?**
You must provide your Sumo Logic Access ID, Access Key, and API URL. These inputs authenticate your agent against the service. Ensure these keys are current and haven't been revoked by your admin team.

**If I don't need a search job anymore, should I use `delete_search_job`?**
Yes, you absolutely should call `delete_search_job`. This action frees up the concurrent slot assigned to that job. Running this keeps your organization from hitting unnecessary rate limits.

**How do I manage user access and roles using the `list_users` tool?**
The `list_users` tool lets you see every account currently configured in your organization. To add or change permissions, you'll use a separate command to create or update accounts.

**What if I need to make a minor setting adjustment on an existing collector? Should I use `update_collector`?**
Yes, that’s exactly what `update_collector` does. You pass the specific Collector ID and the new parameters you want to change. This modifies settings without forcing you to delete and re-add the whole resource.

**How do I start a new log search and get the results?**
First, use `create_search_job` to start the search. Then, poll `get_search_job_status` until it's complete. Finally, use `get_search_job_messages` or `get_search_job_records` to retrieve the data.

**Can I see all my configured data collectors?**
Yes, use the `list_collectors` tool to retrieve a list of all Installed and Hosted Collectors in your account, including their IDs and status.

**How do I monitor system performance metrics?**
You can use the `execute_metrics_query` tool to run specific metrics queries and get real-time data on your infrastructure's health.