yokozuna-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| SUMO_ENDPOINT | No | Explicit API base URL override (e.g. https://api.eu.sumologic.com/api/); accepts host with/without /api/; https only. Takes precedence over SUMO_DEPLOYMENT. | |
| SUMO_ACCESS_ID | Yes | Access ID. | |
| SUMO_ACCESS_KEY | Yes | Access key. Never logged or echoed. | |
| SUMO_DEPLOYMENT | No | One of au,ca,ch,de,eu,fed,in,jp,kr,us1,us2. | eu |
| SUMO_UI_BASE_URL | No | UI origin for open in Sumo UI deep links only (not the API). Set to your company host, e.g. https://<org>.<deployment>.sumologic.com. | |
| YOKOZUNA_EXPORT_DIR | No | Where sumo_export_results writes NDJSON files. | |
| YOKOZUNA_LEVEL_EXPR | No | JSON path (inside _raw) of the log level. | log.levelname |
| SUMO_DEFAULT_TIMEZONE | No | IANA tz used when a tool call omits timeZone. | UTC |
| YOKOZUNA_DEFAULT_LIMIT | No | Default inline result limit. | 100 |
| YOKOZUNA_DEFAULT_DETAIL | No | summary | compact | full | raw. | compact |
| YOKOZUNA_FACET_DIMENSIONS | No | Default sumo_facets dimensions (comma-separated). | _sourcecategory,_sourcehost,levelname,status,path |
| YOKOZUNA_MAX_MESSAGE_CHARS | No | Safety cap for the message field. | 10000 |
| YOKOZUNA_KEEPALIVE_MAX_JOBS | No | Max jobs the keepalive tracks at once. | 20 |
| YOKOZUNA_MAX_RESPONSE_CHARS | No | Whole-response safety cap (chars) for inline tool results. | 200000 |
| SUMO_DEFAULT_SOURCE_CATEGORY | No | Embedded into tool descriptions as the recommended query prefix. Queries are never mutated. | |
| YOKOZUNA_SETTLE_MARGIN_SECONDS | No | sumo_new_since freshness lag. | 180 |
| YOKOZUNA_KEEPALIVE_IDLE_MINUTES | No | Minutes a kept job may sit idle before the server deletes it. | 10 |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| sumo_run_searchA | Workhorse: creates a Sumo Logic search job, waits for completion, returns the first N results, and deletes the job. Time range: exactly ONE of Scoping in one line: filter WHERE with _sourcecategory=, filter SEVERITY by parsing the JSON payload (| json field=_raw "log.levelname" as levelname nodrop | where levelname in ("ERROR","WARNING") — never _loglevel or stream:"stderr"), and TRACE one request by searching its quoted request_id with no other filters. Hostname keywords match only request logs — hunt errors by _sourcecategory. Full cookbook + workflow: the "triage" MCP prompt. |
| sumo_create_search_jobA | Creates a search job and returns its id WITHOUT waiting. The server background-polls created jobs (keepalive) so the job persists across your tool calls; without that, Sumo cancels jobs after a short idle period. Page results with sumo_get_messages / sumo_get_records; always call sumo_delete_search_job when done. Time range: exactly ONE of |
| sumo_get_search_job_statusA | Polls a search job (and resets a kept job's idle timer). States: NOT STARTED / GATHERING RESULTS (in progress; partial results already pageable) / DONE GATHERING RESULTS / FORCE PAUSED (100k cap hit — results available, truncated) / CANCELLED. For aggregate queries messageCount counts scanned input; recordCount is the result count. |
| sumo_get_messagesA | Pages messages of a NON-aggregate search job (aggregate jobs 400 — use sumo_get_records). Page size max 10000. Partial results are pageable while the job is still gathering. Token levers: detail=summary (whole-job level counts — exact via a side-aggregate, or a labeled sample if that fails — plus a compact histogram and top message signatures; cheapest) | compact (timestamp, level, request_id, _sourcecategory, FULL message, plus method/path/status when present) | full (compact + duration_s/logger/client_ip) | raw (verbatim _raw — logs exactly as the app emitted them, including anything sensitive it logged). See the fields/dedupe/maxMessageChars params for projection, grouping, and the message-length cap. |
| sumo_get_recordsA | Pages records of an AGGREGATE search job (non-aggregate jobs 400 — use sumo_get_messages). Page size max 10000. |
| sumo_delete_search_jobA | Deletes a search job, freeing its slot against the 200-active-jobs org cap. Always delete jobs you created via sumo_create_search_job (or kept with keepJob: true) when done. Deleting an already-gone job is not an error. |
| sumo_export_resultsA | Runs a search and streams ALL results (up to the 100,000 server cap) to an NDJSON file on disk, returning the file path — NOT the content. Use this for bulk analysis ("feed the logs to a coding agent") instead of large inline limits. Each line is one flattened log object (metadata + parsed _raw log.* fields). Lines are CHRONOLOGICAL (oldest→newest by _messagetime; the server appends "| sort by _messagetime asc" to non-aggregate queries — a PARTIAL result may not be fully ordered). Aggregate queries export their records instead (one JSON record per line, query order; maxMessages/extract do not apply). If more than 100k messages match, split the time range into multiple exports. Time range: exactly ONE of |
| sumo_facetsA | The fastest way to see the SHAPE of matching logs before reading any messages: runs one small "count by " aggregate per dimension (concurrently; every job auto-deleted) and returns a compact ranked table per dimension. Dimensions starting with "_" are native Sumo fields (e.g. _sourcecategory, _sourcehost); anything else is parsed from the JSON payload as log. (e.g. levelname, status, path). One failing dimension yields an error line, never a total failure. Time range: exactly ONE of |
| sumo_error_digestA | One-call triage: finds ERROR/WARNING (configurable via levels) messages in scope, groups them by normalized signature (timestamps/UUIDs/hex/numbers stripped), and returns the top-N distinct problems with count, first/last occurrence, a sample request_id for cross-referencing, and the _sourcecategory. Level filter uses log.levelname parsed from _raw (reliable), never _loglevel. Time range: exactly ONE of |
| sumo_new_sinceA | Stateless receipt-time monitor for polling loops: returns messages that ARRIVED since your last call plus a new cursor. First call: omit |
| sumo_trendA | Shows WHEN things happened: buckets matching messages with | timeslice, counts per bucket split into series (default: log level via log.levelname), and renders one compact sparkline + per-bucket counts per series. Use it to spot spikes and onsets before reading messages. The query must be a plain scope — no | aggregation operators (timeslice/count are appended; one search job, auto-deleted). Time range: exactly ONE of |
| sumo_list_monitorsA | Discovers the org's native Sumo Logic Monitors (the 24/7 prod alerting): name, folder path, type, enabled/disabled, current status, trigger types, and notification destinations. Read-only management-API call — no search jobs involved. Requires an access key with the "View Monitors" capability (without it Sumo returns HTTP 403). Optional query filters by monitor name/content. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| triage | Guided Sumo Logic log-triage workflow (shape first, then messages, then a request trace) with the full query cookbook. |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mbe24/yokozuna-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server