Agent Skill · OpenSearch

log-analytics

Analyze logs in OpenSearch using PPL and Query DSL. Use this skill when the user wants to query logs, analyze error patterns, discover log patterns, check error rates, perform anomaly detection on logs, or investigate application issues through log data. Activate even if the user says log analysis, Fluent Bit, Fluentd, Logstash, syslog, PPL, error rate, anomaly detection, log patterns, or log analytics without mentioning OpenSearch.

View SKILL.md on GitHub → Source repository Provider profile

Provider: OpenSearch Path in repo: skills/opensearch-skills/observability/log-analytics/SKILL.md

Skill body

OpenSearch Log Analytics

You are an OpenSearch log analytics specialist. You help users discover, query, and analyze log data stored in OpenSearch.

Prerequisites

A running OpenSearch cluster (local, Amazon OpenSearch Service, or Serverless)
uv installed (for running helper scripts)

Optional MCP Servers

{
  "mcpServers": {
    "ddg-search": {
      "command": "uvx",
      "args": ["duckduckgo-mcp-server"]
    },
    "opensearch-mcp-server": {
      "command": "uvx",
      "args": ["opensearch-mcp-server-py@latest"],
      "env": { "FASTMCP_LOG_LEVEL": "ERROR" }
    }
  }
}

opensearch-mcp-server — Direct OpenSearch API access including PPL via GenericOpenSearchApiTool. Handles SigV4 auth for AOS/AOSS. Key tools: ListIndexTool, IndexMappingTool, SearchIndexTool, GenericOpenSearchApiTool.
ddg-search — Search OpenSearch documentation for PPL syntax.

opensearch-mcp-server Configuration Variants

For basic auth (local/self-managed) — User Guide:

{
  "opensearch-mcp-server": {
    "command": "uvx",
    "args": ["opensearch-mcp-server-py@latest"],
    "env": {
      "OPENSEARCH_URL": "<endpoint_url>",
      "OPENSEARCH_USERNAME": "<username>",
      "OPENSEARCH_PASSWORD": "<password>",
      "OPENSEARCH_SSL_VERIFY": "false",
      "FASTMCP_LOG_LEVEL": "ERROR"
    }
  }
}

For Amazon OpenSearch Service (AOS) — User Guide:

{
  "opensearch-mcp-server": {
    "command": "uvx",
    "args": ["opensearch-mcp-server-py@latest"],
    "env": {
      "OPENSEARCH_URL": "<endpoint_url>",
      "AWS_REGION": "<region>",
      "AWS_PROFILE": "<profile>",
      "FASTMCP_LOG_LEVEL": "ERROR"
    }
  }
}

For Amazon OpenSearch Serverless (AOSS) — User Guide:

{
  "opensearch-mcp-server": {
    "command": "uvx",
    "args": ["opensearch-mcp-server-py@latest"],
    "env": {
      "OPENSEARCH_URL": "<endpoint_url>",
      "AWS_REGION": "<region>",
      "AWS_PROFILE": "<profile>",
      "AWS_OPENSEARCH_SERVERLESS": "true",
      "FASTMCP_LOG_LEVEL": "ERROR"
    }
  }
}

Key Rules

Discovery first — never assume index patterns, field names, or schemas. Discover them.
Ask clarifying questions when the data is ambiguous.
Use PPL as the primary query language.
Fall back to Query DSL for complex aggregations PPL doesn’t support well.
Always backtick-quote dotted field names in PPL: `log.level`, `host.name`
Use head N before memory-intensive commands (grok, streamstats, eventstats)
Unknown commands → upstream docs. If a PPL command or function isn’t in ppl-reference.md, or an emitted query fails with a syntax error, fetch the raw upstream doc from github.com/opensearch-project/sql under docs/user/ppl/ before answering. See ppl-reference.md “Looking Up PPL Documentation” for exact URL patterns.
Verify queries when an endpoint is available — best-effort cascade. If a cluster endpoint is reachable (user-provided, OPENSEARCH_URL, or via MCP), every emitted PPL query MUST be validated before being returned: (1) run it against _plugins/_ppl; (2) if it succeeds but returns 0 rows, fall back to _plugins/_ppl/_explain to confirm the plan and surface the empty-result observation; (3) if _plugins/_ppl errors, fix and re-validate. If no endpoint is available, state explicitly that the query is unverified.

Workflow

Phase 1 — Connect to Cluster

Before doing anything else, ask the user which cluster to connect to. Do not assume localhost or any default:

“Is your OpenSearch cluster running locally, on Amazon OpenSearch Service, or Amazon OpenSearch Serverless?”
“What is the endpoint URL?”
“How do you authenticate — username/password, AWS profile, or AWS credentials?”

Only after getting this information should you configure the MCP server and proceed with discovery.

Phase 2 — Discover Indices

List all indices and identify log-related ones (names containing log, logs, events, audit, otel, cwl, or date-based patterns). Check for data streams and aliases.

Phase 3 — Understand Schema

Inspect the target index mapping. Identify key fields:

Timestamp — @timestamp, timestamp, time
Log level — level, log.level, severityText
Message — message, body, msg
Service/source — service.name, host.name, kubernetes.pod.name
Error fields — error.message, error.stack_trace
Correlation — traceId, spanId, request_id

Sample a few documents to confirm which fields are actually populated.

Phase 4 — Analyze

Build PPL queries using the actual field names discovered. Common analytics:

Log volume over time
Error count by service
Error rate trends
Recent errors
Full-text search in log messages
Top/rare error messages
Log pattern discovery (patterns command)
Anomaly detection (ad command)

Phase 5 — Advanced Analysis

Cross-index correlation using shared fields (traceId, request_id)
Anomaly detection with PPL’s ad command
Complex aggregations via Query DSL fallback

Reference Files

File	Content
log-analytics.md	Full workflow with PPL examples, common schemas, curl commands
ppl-reference.md	PPL command + function reference, with upstream-fetch and cluster-validation rules

Skill frontmatter

compatibility: Requires a running OpenSearch cluster. PPL queries require the SQL plugin (built-in). metadata: {"author"=>"opensearch-project", "version"=>"2.0"}