Taiwo Hassan This workflow corresponds to n8n.io template #15478 — we link there as the canonical source.
This workflow follows the HTTP Request Tool → Mcptrigger recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "wgsH6QV6gd7PLS7y",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "AI Observability Toolkit for OpenObserve MCP Server (Logs + Traces)",
"tags": [],
"nodes": [
{
"id": "5df2f32a-be75-440c-9cc4-514c35769539",
"name": "Stream Schema Inspection",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
112,
240
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"DESCRIBE default\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Inspection Allows the AI to see what fields are available before it writes a query."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "15456d69-be4c-4f93-8dfe-348ed0f21f12",
"name": "Unique Error Fingerprinting",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
-336,
32
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT message, count(*) as occurrences FROM default WHERE level='error' GROUP BY message ORDER BY occurrences DESC LIMIT 10\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Groups similar log messages to find the unique root causes rather than thousands of identical logs."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "e1f063d4-0f0c-46c9-9209-d51088c6370e",
"name": "Volume Trend Analysis",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
-192,
128
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT histogram(_timestamp, '1 minute') as time, count(*) as volume FROM default GROUP BY time ORDER BY time DESC\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Detects sudden spikes in log volume which might indicate a DDoS or a recursive bug."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "6ab3b509-51ea-4c00-94d6-e800561ef3e9",
"name": "Log Pattern Discovery",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
-48,
208
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT substring(message, 1, 20) as pattern, count(*) FROM default GROUP BY pattern ORDER BY pattern DESC\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Summarizes logs by common prefixes to help the AI understand what normal traffic looks like."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "4e3a141b-a4bc-4f63-bcba-c4eaa8b1fb03",
"name": "P99 Latency Analysis",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
336,
240
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search?type=traces",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT approx_percentile_cont(duration, 0.99) as p99, operation_name FROM default GROUP BY operation_name\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Identifies the slowest 1% of requests to find outliers."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "52a2c321-f555-4887-a8a7-44cc7065c5ba",
"name": "Cold-Start Identification",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
512,
192
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search?type=traces",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT trace_id, duration FROM default WHERE operation_name='init' AND duration > 500\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Finds traces where the initial span duration is significantly higher than subsequent spans."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "5bff2ba1-8dd3-419f-ad90-ddab8f4663c2",
"name": "Dependency Hotspots",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
688,
112
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search?type=traces",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT service_name, avg(duration) as avg_time FROM default GROUP BY service_name ORDER BY avg_time DESC\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Aggregates trace data to show which external service (e.g., Database vs. Auth) is causing the most delay."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "c8c7ec6a-f4ad-4a23-b6c1-d7fbc8cb1b81",
"name": "SQL logs query",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
-480,
-96
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"{{ $fromAI('sql', 'The full SQL query. Example: SELECT * FROM default WHERE level=\\'error\\' LIMIT 10', 'string') }}\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Executes SQL queries against OpenObserve to retrieve logs. Use this for root cause analysis, performance monitoring, and security auditing."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "7a976d02-a813-49fd-bbd8-68091d0c0670",
"name": "Span Error Mapping",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
848,
16
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search?type=traces",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"SELECT span_id, operation_name FROM default WHERE status_code >= 400 AND trace_id='{{ $fromAI('trace_id', ``, 'string') }}'\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }}\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Finds which specific span in a trace failed, helping the AI pin-point exactly where a microservice call died."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "ee95e1d4-4c98-4e83-a813-31ef9a8078b8",
"name": "SQL traces query",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
992,
-96
],
"parameters": {
"url": "http://host.docker.internal:5080/api/default/_search?type=traces",
"method": "POST",
"options": {},
"jsonBody": "={\n \"query\": {\n \"sql\": \"{{ $fromAI('sql', 'The full SQL query. Example: SELECT * FROM default WHERE level=\\'error\\' LIMIT 10', 'string') }}\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}{\n \"query\": {\n \"sql\": \"{{ $fromAI('sql', 'The full SQL query. Example: SELECT * FROM default WHERE level=\\'error\\' LIMIT 10', 'string') }}\",\n \"start_time\": {{ new Date($fromAI('start_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"end_time\": {{ new Date($fromAI('end_time', 'The start date and time in ISO 8601 format (e.g., 2026-05-04T10:00:00Z)', 'string')).getTime() * 1000 }},\n \"from\": 0,\n \"size\": 100\n }\n}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpBasicAuth",
"toolDescription": "Executes SQL queries against OpenObserve to retrieve traces. Use this for root cause analysis, performance monitoring, and security auditing."
},
"credentials": {
"httpBasicAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.4
},
{
"id": "c8f413eb-b0cc-4fff-a19e-e77a8ee9825b",
"name": "OpenOberve Tool MCP Server",
"type": "@n8n/n8n-nodes-langchain.mcpTrigger",
"position": [
80,
-208
],
"parameters": {
"path": "home"
},
"typeVersion": 2,
"alwaysOutputData": false
},
{
"id": "6cc20693-1f53-494b-ac59-de6dbf86c297",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-1040,
-240
],
"parameters": {
"width": 464,
"height": 688,
"content": "# OpenObserve MCP\n\n## \ud83d\udcca Logs Tools\n- **Schema** \u2192 `DESCRIBE default`\n- **Errors** \u2192 group by `message` (find root causes)\n- **Spikes** \u2192 `histogram(_timestamp, 1m)`\n- **Patterns** \u2192 `substring(message, 1, 20)`\n- **SQL Logs** \u2192 any custom log query\n\n---\n\n## \ud83d\udd0d Traces Tools\n- **P99 Latency** \u2192 slowest 1% operations\n- **Cold Start** \u2192 slow `init` spans\n- **Hotspots** \u2192 avg duration per `service_name`\n- **Span Error Mapping** \u2192 find failed span by `trace_id`\n- **SQL Traces** \u2192 any custom trace query\n\n---\n\n## \ud83c\udf10 Endpoints\n- Logs \u2192 `/api/default/_search`\n- Traces \u2192 `/api/default/_search?type=traces`"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"binaryMode": "separate",
"executionOrder": "v1"
},
"versionId": "c9be434b-9780-47d7-a411-89ceab6f9630",
"connections": {
"SQL logs query": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"SQL traces query": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Span Error Mapping": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Dependency Hotspots": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"P99 Latency Analysis": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Log Pattern Discovery": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Volume Trend Analysis": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Stream Schema Inspection": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Cold-Start Identification": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
},
"Unique Error Fingerprinting": {
"ai_tool": [
[
{
"node": "OpenOberve Tool MCP Server",
"type": "ai_tool",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
httpBasicAuth
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
An MCP server that exposes 10 specialized AI tools for deep observability over your OpenObserve logs and traces.
Source: https://n8n.io/workflows/15478/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Complete MCP server exposing 21 api.clarify.io API operations to AI agents.
Mcp Trigger, HTTP Request Tool
Complete MCP server exposing 9 NPR Listening Service API operations to AI agents.
Mcp Trigger, HTTP Request Tool
Complete MCP server exposing 14 Domains-Index API operations to AI agents.
Mcp Trigger, HTTP Request Tool
Complete MCP server exposing 9 Api2Pdf - PDF Generation, Powered by AWS Lambda API operations to AI agents.
Mcp Trigger, HTTP Request Tool
A lean MCP Server that exposes the essential Trello tools for everyday task management. Built for clean, reliable LLM automation with n8n, ChatGPT, or Gemini.
Mcp Trigger, Trello Tool, HTTP Request Tool