Skip to main content
Glama

Run a Sumo Logic search (create → wait → fetch → delete)

sumo_run_search
Read-only

Run a Sumo Logic search query, retrieve log results, and clean up the job automatically. Supports time ranges, filtering, and detail levels.

Instructions

Workhorse: creates a Sumo Logic search job, waits for completion, returns the first N results, and deletes the job. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds). Token levers: detail=summary (whole-job level counts — exact via a side-aggregate, or a labeled sample if that fails — plus a compact histogram and top message signatures; cheapest) | compact (timestamp, level, request_id, _sourcecategory, FULL message, plus method/path/status when present) | full (compact + duration_s/logger/client_ip) | raw (verbatim _raw — logs exactly as the app emitted them, including anything sensitive it logged). See the fields/dedupe/maxMessageChars params for projection, grouping, and the message-length cap. Inline limit max 5000 — use sumo_export_results for bulk (up to 100k to a file).

Scoping in one line: filter WHERE with _sourcecategory=, filter SEVERITY by parsing the JSON payload (| json field=_raw "log.levelname" as levelname nodrop | where levelname in ("ERROR","WARNING") — never _loglevel or stream:"stderr"), and TRACE one request by searching its quoted request_id with no other filters. Hostname keywords match only request logs — hunt errors by _sourcecategory. Full cookbook + workflow: the "triage" MCP prompt.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
toNoEnd time: ISO-8601 or epoch ms. Requires `from`.
fromNoStart time: ISO-8601 or epoch ms. Requires `to`.
lastNoRelative window ending now, e.g. "15m", "2h", "1d". Mutually exclusive with from/to.
sortNoOrder of returned messages by _messagetime (default "asc" = oldest→newest, best for tracing). Client-side: orders only the RETURNED result set — raise limit or narrow the query for full ordering. Not applicable to aggregate records.
limitNoMax inline results (default 100, hard max 5000).
queryYesSumo Logic query text.
dedupeNoGroup repeated messages globally by (level, signature) — timestamps/UUIDs/hex/numbers are normalized away — and render "first_ts..last_ts LEVEL ×N message".
detailNoOutput verbosity (default compact).
fieldsNoExplicit field projection from the flattened namespace (level/request_id always kept).
formatNoOutput mode (default text).
extractNoOptional per-field JSON extraction: alias → path under _raw, e.g. {"status":"log.status","user":"log.context.user"}. Appends one `| json field=_raw "<path>" as <alias> nodrop` clause per entry (chained; never the broken comma multi-extract form). Aliases must be simple identifiers; non-aggregate queries only. Extracted aliases join the flattened field namespace (combine with `fields` or ndjson/export lines).
keepJobNoKeep the job alive after returning (server keeps it polled; use the primitives to page more). Idle kept jobs are auto-deleted after ~10 minutes (YOKOZUNA_KEEPALIVE_IDLE_MINUTES); any access (status/messages/records) resets the idle timer.
timeZoneNoIANA timezone for query-time parsing (default UTC).
byReceiptTimeNoSearch by receipt time; recommended true for very recent windows (ingestion lag).
maxMessageCharsNoSafety cap for the message field (default 10000); the message is never truncated by default.
Behavior1/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The annotations declare readOnlyHint=true, but the description states the tool creates, waits for, and deletes a search job. This contradicts the read-only hint, as the tool performs write operations (creation and deletion). The description itself is transparent about the behavior, but the contradiction with the annotation forces a score of 1.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is comprehensive but verbose. It is front-loaded with the overall purpose, then goes into detailed sections for time range, token levers, and scoping. While structured, it could be more concise by moving some details to the parameter schema descriptions or a separate reference.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has 15 parameters, no output schema, and complex behavior, the description covers most aspects: time range, token levers, limits, dedupe, fields, format, extraction, keepJob, timeZone, byReceiptTime, maxMessageChars, and scoping guidance. It lacks a description of the output structure (e.g., format of returned results) but references a 'triage' prompt for further workflow.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, so baseline is 3. The description adds significant meaning beyond the schema: it explains time range options in detail, token levers with examples, dedupe behavior, extraction format, keepJob idle timer, and scoping best practices. This adds substantial context for parameter usage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: it creates a Sumo Logic search job, waits for completion, returns results, and deletes the job. It uses specific verbs and distinguishes itself from sibling tools like sumo_export_results for bulk exports.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly says to use sumo_export_results for bulk (up to 100k to a file). It provides scoping guidance for filtering by _sourcecategory, severity, and request_id. However, it does not exhaustively list when not to use this tool or provide exclusions beyond the bulk note.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mbe24/yokozuna-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server