Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
SUMO_ENDPOINTNoExplicit API base URL override (e.g. https://api.eu.sumologic.com/api/); accepts host with/without /api/; https only. Takes precedence over SUMO_DEPLOYMENT.
SUMO_ACCESS_IDYesAccess ID.
SUMO_ACCESS_KEYYesAccess key. Never logged or echoed.
SUMO_DEPLOYMENTNoOne of au,ca,ch,de,eu,fed,in,jp,kr,us1,us2.eu
SUMO_UI_BASE_URLNoUI origin for open in Sumo UI deep links only (not the API). Set to your company host, e.g. https://<org>.<deployment>.sumologic.com.
YOKOZUNA_EXPORT_DIRNoWhere sumo_export_results writes NDJSON files.
YOKOZUNA_LEVEL_EXPRNoJSON path (inside _raw) of the log level.log.levelname
SUMO_DEFAULT_TIMEZONENoIANA tz used when a tool call omits timeZone.UTC
YOKOZUNA_DEFAULT_LIMITNoDefault inline result limit.100
YOKOZUNA_DEFAULT_DETAILNosummary | compact | full | raw.compact
YOKOZUNA_FACET_DIMENSIONSNoDefault sumo_facets dimensions (comma-separated)._sourcecategory,_sourcehost,levelname,status,path
YOKOZUNA_MAX_MESSAGE_CHARSNoSafety cap for the message field.10000
YOKOZUNA_KEEPALIVE_MAX_JOBSNoMax jobs the keepalive tracks at once.20
YOKOZUNA_MAX_RESPONSE_CHARSNoWhole-response safety cap (chars) for inline tool results.200000
SUMO_DEFAULT_SOURCE_CATEGORYNoEmbedded into tool descriptions as the recommended query prefix. Queries are never mutated.
YOKOZUNA_SETTLE_MARGIN_SECONDSNosumo_new_since freshness lag.180
YOKOZUNA_KEEPALIVE_IDLE_MINUTESNoMinutes a kept job may sit idle before the server deletes it.10

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}
prompts
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
sumo_run_searchA

Workhorse: creates a Sumo Logic search job, waits for completion, returns the first N results, and deletes the job. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds). Token levers: detail=summary (whole-job level counts — exact via a side-aggregate, or a labeled sample if that fails — plus a compact histogram and top message signatures; cheapest) | compact (timestamp, level, request_id, _sourcecategory, FULL message, plus method/path/status when present) | full (compact + duration_s/logger/client_ip) | raw (verbatim _raw — logs exactly as the app emitted them, including anything sensitive it logged). See the fields/dedupe/maxMessageChars params for projection, grouping, and the message-length cap. Inline limit max 5000 — use sumo_export_results for bulk (up to 100k to a file).

Scoping in one line: filter WHERE with _sourcecategory=, filter SEVERITY by parsing the JSON payload (| json field=_raw "log.levelname" as levelname nodrop | where levelname in ("ERROR","WARNING") — never _loglevel or stream:"stderr"), and TRACE one request by searching its quoted request_id with no other filters. Hostname keywords match only request logs — hunt errors by _sourcecategory. Full cookbook + workflow: the "triage" MCP prompt.

sumo_create_search_jobA

Creates a search job and returns its id WITHOUT waiting. The server background-polls created jobs (keepalive) so the job persists across your tool calls; without that, Sumo cancels jobs after a short idle period. Page results with sumo_get_messages / sumo_get_records; always call sumo_delete_search_job when done. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).

sumo_get_search_job_statusA

Polls a search job (and resets a kept job's idle timer). States: NOT STARTED / GATHERING RESULTS (in progress; partial results already pageable) / DONE GATHERING RESULTS / FORCE PAUSED (100k cap hit — results available, truncated) / CANCELLED. For aggregate queries messageCount counts scanned input; recordCount is the result count.

sumo_get_messagesA

Pages messages of a NON-aggregate search job (aggregate jobs 400 — use sumo_get_records). Page size max 10000. Partial results are pageable while the job is still gathering. Token levers: detail=summary (whole-job level counts — exact via a side-aggregate, or a labeled sample if that fails — plus a compact histogram and top message signatures; cheapest) | compact (timestamp, level, request_id, _sourcecategory, FULL message, plus method/path/status when present) | full (compact + duration_s/logger/client_ip) | raw (verbatim _raw — logs exactly as the app emitted them, including anything sensitive it logged). See the fields/dedupe/maxMessageChars params for projection, grouping, and the message-length cap.

sumo_get_recordsA

Pages records of an AGGREGATE search job (non-aggregate jobs 400 — use sumo_get_messages). Page size max 10000.

sumo_delete_search_jobA

Deletes a search job, freeing its slot against the 200-active-jobs org cap. Always delete jobs you created via sumo_create_search_job (or kept with keepJob: true) when done. Deleting an already-gone job is not an error.

sumo_export_resultsA

Runs a search and streams ALL results (up to the 100,000 server cap) to an NDJSON file on disk, returning the file path — NOT the content. Use this for bulk analysis ("feed the logs to a coding agent") instead of large inline limits. Each line is one flattened log object (metadata + parsed _raw log.* fields). Lines are CHRONOLOGICAL (oldest→newest by _messagetime; the server appends "| sort by _messagetime asc" to non-aggregate queries — a PARTIAL result may not be fully ordered). Aggregate queries export their records instead (one JSON record per line, query order; maxMessages/extract do not apply). If more than 100k messages match, split the time range into multiple exports. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).

sumo_facetsA

The fastest way to see the SHAPE of matching logs before reading any messages: runs one small "count by " aggregate per dimension (concurrently; every job auto-deleted) and returns a compact ranked table per dimension. Dimensions starting with "_" are native Sumo fields (e.g. _sourcecategory, _sourcehost); anything else is parsed from the JSON payload as log. (e.g. levelname, status, path). One failing dimension yields an error line, never a total failure. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).

sumo_error_digestA

One-call triage: finds ERROR/WARNING (configurable via levels) messages in scope, groups them by normalized signature (timestamps/UUIDs/hex/numbers stripped), and returns the top-N distinct problems with count, first/last occurrence, a sample request_id for cross-referencing, and the _sourcecategory. Level filter uses log.levelname parsed from _raw (reliable), never _loglevel. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).

sumo_new_sinceA

Stateless receipt-time monitor for polling loops: returns messages that ARRIVED since your last call plus a new cursor. First call: omit since to get a baseline over lookback (default "15m"). Every response contains a cursor=<epoch ms> line — pass that value as since on the next call and the half-open windows [since, now−settleMargin) tile contiguously with no gaps or duplicates. byReceiptTime is FORCED true and the window ends 180s in the past (settle margin) so late-arriving logs are not skipped — results are complete but ~180s stale. Aggregate queries (| count …) are rejected — use sumo_run_search for those. Token levers: detail=summary (whole-job level counts — exact via a side-aggregate, or a labeled sample if that fails — plus a compact histogram and top message signatures; cheapest) | compact (timestamp, level, request_id, _sourcecategory, FULL message, plus method/path/status when present) | full (compact + duration_s/logger/client_ip) | raw (verbatim _raw — logs exactly as the app emitted them, including anything sensitive it logged). See the fields/dedupe/maxMessageChars params for projection, grouping, and the message-length cap.

sumo_trendA

Shows WHEN things happened: buckets matching messages with | timeslice, counts per bucket split into series (default: log level via log.levelname), and renders one compact sparkline + per-bucket counts per series. Use it to spot spikes and onsets before reading messages. The query must be a plain scope — no | aggregation operators (timeslice/count are appended; one search job, auto-deleted). Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).

sumo_list_monitorsA

Discovers the org's native Sumo Logic Monitors (the 24/7 prod alerting): name, folder path, type, enabled/disabled, current status, trigger types, and notification destinations. Read-only management-API call — no search jobs involved. Requires an access key with the "View Monitors" capability (without it Sumo returns HTTP 403). Optional query filters by monitor name/content.

Prompts

Interactive templates invoked by user choice

NameDescription
triageGuided Sumo Logic log-triage workflow (shape first, then messages, then a request trace) with the full query cookbook.

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mbe24/yokozuna-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server