{ "id": "wgsH6QV6gd7PLS7y", "meta": { "templateCredsSetupCompleted": true }, "name": "AI Observability Toolkit for OpenObserve MCP Server (Logs + Traces)", "tags": [], "nodes": [ { "id": "5df2f32a-be75-440c-9cc4-514c35769539", "name": "Stream Schema Inspection", "type": "n8n-nodes-base.httpRequestTool", "position": [ 112, 240 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"DESCRIBE default\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Inspection Allows the AI to see what fields are available before it writes a query." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "15456d69-be4c-4f93-8dfe-348ed0f21f12", "name": "Unique Error Fingerprinting", "type": "n8n-nodes-base.httpRequestTool", "position": [ -336, 32 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT message, count(*) as occurrences FROM default WHERE level='error' GROUP BY message ORDER BY occurrences DESC LIMIT 10\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Groups similar log messages to find the unique root causes rather than thousands of identical logs." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "e1f063d4-0f0c-46c9-9209-d51088c6370e", "name": "Volume Trend Analysis", "type": "n8n-nodes-base.httpRequestTool", "position": [ -192, 128 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT histogram(_timestamp, '1 minute') as time, count(*) as volume FROM default GROUP BY time ORDER BY time DESC\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Detects sudden spikes in log volume which might indicate a DDoS or a recursive bug." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "6ab3b509-51ea-4c00-94d6-e800561ef3e9", "name": "Log Pattern Discovery", "type": "n8n-nodes-base.httpRequestTool", "position": [ -48, 208 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT substring(message, 1, 20) as pattern, count(*) FROM default GROUP BY pattern ORDER BY pattern DESC\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Summarizes logs by common prefixes to help the AI understand what normal traffic looks like." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "4e3a141b-a4bc-4f63-bcba-c4eaa8b1fb03", "name": "P99 Latency Analysis", "type": "n8n-nodes-base.httpRequestTool", "position": [ 336, 240 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search?type=traces", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT approx_percentile_cont(duration, 0.99) as p99, operation_name FROM default GROUP BY operation_name\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Identifies the slowest 1% of requests to find outliers." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "52a2c321-f555-4887-a8a7-44cc7065c5ba", "name": "Cold-Start Identification", "type": "n8n-nodes-base.httpRequestTool", "position": [ 512, 192 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search?type=traces", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT trace_id, duration FROM default WHERE operation_name='init' AND duration > 500\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Finds traces where the initial span duration is significantly higher than subsequent spans." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "5bff2ba1-8dd3-419f-ad90-ddab8f4663c2", "name": "Dependency Hotspots", "type": "n8n-nodes-base.httpRequestTool", "position": [ 688, 112 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search?type=traces", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT service_name, avg(duration) as avg_time FROM default GROUP BY service_name ORDER BY avg_time DESC\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Aggregates trace data to show which external service (e.g., Database vs. Auth) is causing the most delay." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "c8c7ec6a-f4ad-4a23-b6c1-d7fbc8cb1b81", "name": "SQL logs query", "type": "n8n-nodes-base.httpRequestTool", "position": [ -480, -96 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"{{ $fromAI('sql', 'The full SQL query. Example: SELECT * FROM default WHERE level=\\'error\\' LIMIT 10', 'string') }}\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Executes SQL queries against OpenObserve to retrieve logs. Use this for root cause analysis, performance monitoring, and security auditing." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "7a976d02-a813-49fd-bbd8-68091d0c0670", "name": "Span Error Mapping", "type": "n8n-nodes-base.httpRequestTool", "position": [ 848, 16 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search?type=traces", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT span_id, operation_name FROM default WHERE status_code >= 400 AND trace_id='{{ $fromAI('trace_id', ``, 'string') }}'\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Finds which specific span in a trace failed, helping the AI pin-point exactly where a microservice call died." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "ee95e1d4-4c98-4e83-a813-31ef9a8078b8", "name": "SQL traces query", "type": "n8n-nodes-base.httpRequestTool", "position": [ 992, -96 ], "parameters": { "url": "http://host.docker.internal:5080/api/default/_search?type=traces", "method": "POST", "options": {}, "jsonBody": "={\n \"query\": {\n \"sql\": \"{{ $fromAI('sql', 'The full SQL query. Example: SELECT * FROM default WHERE level=\\'error\\' LIMIT 10', 'string') }}\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}{\n \"query\": {\n \"sql\": \"{{ $fromAI('sql', 'The full SQL query. Example: SELECT * FROM default WHERE level=\\'error\\' LIMIT 10', 'string') }}\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}", "sendBody": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth", "toolDescription": "Executes SQL queries against OpenObserve to retrieve traces. Use this for root cause analysis, performance monitoring, and security auditing." }, "credentials": { "httpBasicAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "c8f413eb-b0cc-4fff-a19e-e77a8ee9825b", "name": "OpenOberve Tool MCP Server", "type": "@n8n/n8n-nodes-langchain.mcpTrigger", "position": [ 80, -208 ], "parameters": { "path": "home" }, "typeVersion": 2, "alwaysOutputData": false }, { "id": "6cc20693-1f53-494b-ac59-de6dbf86c297", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -1040, -240 ], "parameters": { "width": 464, "height": 688, "content": "# OpenObserve MCP\n\n## \ud83d\udcca Logs Tools\n- **Schema** \u2192 `DESCRIBE default`\n- **Errors** \u2192 group by `message` (find root causes)\n- **Spikes** \u2192 `histogram(_timestamp, 1m)`\n- **Patterns** \u2192 `substring(message, 1, 20)`\n- **SQL Logs** \u2192 any custom log query\n\n---\n\n## \ud83d\udd0d Traces Tools\n- **P99 Latency** \u2192 slowest 1% operations\n- **Cold Start** \u2192 slow `init` spans\n- **Hotspots** \u2192 avg duration per `service_name`\n- **Span Error Mapping** \u2192 find failed span by `trace_id`\n- **SQL Traces** \u2192 any custom trace query\n\n---\n\n## \ud83c\udf10 Endpoints\n- Logs \u2192 `/api/default/_search`\n- Traces \u2192 `/api/default/_search?type=traces`" }, "typeVersion": 1 } ], "active": false, "settings": { "binaryMode": "separate", "executionOrder": "v1" }, "versionId": "c9be434b-9780-47d7-a411-89ceab6f9630", "connections": { "SQL logs query": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "SQL traces query": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Span Error Mapping": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Dependency Hotspots": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "P99 Latency Analysis": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Log Pattern Discovery": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Volume Trend Analysis": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Stream Schema Inspection": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Cold-Start Identification": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] }, "Unique Error Fingerprinting": { "ai_tool": [ [ { "node": "OpenOberve Tool MCP Server", "type": "ai_tool", "index": 0 } ] ] } } }