{ "schemaVersion": "1.0", "item": { "slug": "log-dive", "name": "log-dive", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/tkuehnl/log-dive", "canonicalUrl": "https://clawhub.ai/tkuehnl/log-dive", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/log-dive", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=log-dive", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "SECURITY.md", "SKILL.md", "TESTING.md", "scripts/log-dive-cw.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/log-dive" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/log-dive", "agentPageUrl": "https://openagent3.xyz/skills/log-dive/agent", "manifestUrl": "https://openagent3.xyz/skills/log-dive/agent.json", "briefUrl": "https://openagent3.xyz/skills/log-dive/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Log Dive — Unified Log Search 🤿", "body": "Search logs across Loki, Elasticsearch/OpenSearch, and AWS CloudWatch from a single interface. Ask in plain English; the skill translates to the right query language.\n\n⚠️ Sensitive Data Warning: Logs frequently contain PII, secrets, tokens, passwords, and other sensitive data. Never cache, store, or repeat raw log content beyond the current conversation. Treat all log output as confidential." }, { "title": "Activation", "body": "This skill activates when the user mentions:\n\n\"search logs\", \"find in logs\", \"log search\", \"check the logs\"\n\"Loki\", \"LogQL\", \"logcli\"\n\"Elasticsearch logs\", \"Kibana\", \"OpenSearch\"\n\"CloudWatch logs\", \"AWS logs\", \"log groups\"\n\"error logs\", \"find errors\", \"what happened in [service]\"\n\"tail logs\", \"follow logs\", \"live logs\"\n\"log backends\", \"which log sources\", \"log indices\", \"log labels\"\nIncident triage involving log analysis\n\"log-dive\" explicitly" }, { "title": "Permissions", "body": "permissions:\n exec: true # Required to run backend scripts\n read: true # Read script files\n write: false # Never writes files — logs may contain secrets\n network: true # Queries remote log backends" }, { "title": "Example Prompts", "body": "\"Find error logs from the checkout service in the last 30 minutes\"\n\"Search for timeout exceptions across all services\"\n\"What log backends do I have configured?\"\n\"List available log indices in Elasticsearch\"\n\"Show me the labels available in Loki\"\n\"Tail the payment-service logs\"\n\"Find all 5xx errors in CloudWatch for api-gateway\"\n\"Correlate errors between user-service and payment-service\"\n\"What happened in production between 2pm and 3pm today?\"" }, { "title": "Backend Configuration", "body": "Each backend uses environment variables. Users may have one, two, or all three configured." }, { "title": "Loki", "body": "VariableRequiredDescriptionLOKI_ADDRYesLoki server URL (e.g., http://loki.internal:3100)LOKI_TOKENNoBearer token for authenticationLOKI_TENANT_IDNoMulti-tenant header (X-Scope-OrgID)" }, { "title": "Elasticsearch / OpenSearch", "body": "VariableRequiredDescriptionELASTICSEARCH_URLYesBase URL (e.g., https://es.internal:9200)ELASTICSEARCH_TOKENNoBasic or Bearer for auth" }, { "title": "AWS CloudWatch Logs", "body": "VariableRequiredDescriptionAWS_PROFILE or AWS_ACCESS_KEY_IDYesStandard AWS credentialsAWS_REGIONYesAWS region for CloudWatch" }, { "title": "Agent Workflow", "body": "Follow this sequence:" }, { "title": "Step 1: Check Backends", "body": "Run the backends check to see what's configured:\n\nbash /scripts/log-dive.sh backends\n\nParse the JSON output. If no backends are configured, tell the user which environment variables to set." }, { "title": "Step 2: Translate the User's Query", "body": "This is the critical step. Convert the user's natural language request into the appropriate backend-specific query. Use the query language reference below.\n\nFor ALL backends, pass the query through the dispatcher:\n\n# Search across all configured backends\nbash /scripts/log-dive.sh search --query '' [OPTIONS]\n\n# Search a specific backend\nbash /scripts/log-dive.sh search --backend loki --query '{app=\"checkout\"} |= \"error\"' --since 30m --limit 200\n\nbash /scripts/log-dive.sh search --backend elasticsearch --query '{\"query\":{\"bool\":{\"must\":[{\"match\":{\"message\":\"error\"}},{\"match\":{\"service\":\"checkout\"}}]}}}' --index 'app-logs-*' --since 30m --limit 200\n\nbash /scripts/log-dive.sh search --backend cloudwatch --query '\"ERROR\" \"checkout\"' --log-group '/ecs/checkout-service' --since 30m --limit 200" }, { "title": "Step 3: List Available Targets", "body": "Before searching, you may need to discover what's available:\n\n# Loki: list labels and label values\nbash /scripts/log-dive.sh labels --backend loki\nbash /scripts/log-dive.sh labels --backend loki --label app\n\n# Elasticsearch: list indices\nbash /scripts/log-dive.sh indices --backend elasticsearch\n\n# CloudWatch: list log groups\nbash /scripts/log-dive.sh indices --backend cloudwatch" }, { "title": "Step 4: Tail Logs (Live Follow)", "body": "bash /scripts/log-dive.sh tail --backend loki --query '{app=\"checkout\"}'\nbash /scripts/log-dive.sh tail --backend cloudwatch --log-group '/ecs/checkout-service'\n\nTail runs for a limited time (default 30s) and streams results." }, { "title": "Step 5: Analyze Results", "body": "After receiving log output, you MUST:\n\nIdentify unique error types — group similar errors, count occurrences\nFind the root cause — look for the earliest error, trace dependency chains\nCorrelate across services — if errors in service A mention service B, note the dependency\nBuild a timeline — order events chronologically\nSummarize actionably — \"The checkout service started returning 500s at 14:23 because the database connection pool was exhausted (max 10 connections, 10 in use). The pool exhaustion was triggered by a slow query in the inventory service.\"\n\nNEVER dump raw log output to the user. Always summarize, extract patterns, and present structured findings." }, { "title": "Discord v2 Delivery Mode (OpenClaw v2026.2.14+)", "body": "When the conversation is happening in a Discord channel:\n\nSend a compact incident summary first (backend, query intent, top error types, root-cause hypothesis), then ask if the user wants full detail.\nKeep the first response under ~1200 characters and avoid dumping raw log lines in the first message.\nIf Discord components are available, include quick actions:\n\nShow Error Timeline\nShow Top Error Patterns\nRun Related Service Query\n\n\nIf components are not available, provide the same follow-ups as a numbered list.\nPrefer short follow-up chunks (<=15 lines per message) when sharing timelines or grouped findings." }, { "title": "LogQL (Loki)", "body": "LogQL has two parts: a stream selector and a filter pipeline.\n\nStream selectors:\n\n{app=\"myapp\"} # exact match\n{namespace=\"prod\", app=~\"api-.*\"} # regex match\n{app!=\"debug\"} # negative match\n\nFilter pipeline (chained after selector):\n\n{app=\"myapp\"} |= \"error\" # line contains \"error\"\n{app=\"myapp\"} != \"healthcheck\" # line does NOT contain\n{app=\"myapp\"} |~ \"error|warn\" # regex match on line\n{app=\"myapp\"} !~ \"DEBUG|TRACE\" # negative regex\n\nStructured metadata (parsed logs):\n\n{app=\"myapp\"} | json # parse JSON logs\n{app=\"myapp\"} | json | status >= 500 # filter by parsed field\n{app=\"myapp\"} | logfmt # parse logfmt\n{app=\"myapp\"} | regexp `(?P\\d+\\.\\d+\\.\\d+\\.\\d+)` # regex extract\n\nCommon patterns:\n\nErrors in service: {app=\"checkout\"} |= \"error\" | json | level=\"error\"\nHTTP 5xx: {app=\"api\"} | json | status >= 500\nSlow requests: {app=\"api\"} | json | duration > 5s\nStack traces: {app=\"myapp\"} |= \"Exception\" |= \"at \"" }, { "title": "Elasticsearch Query DSL", "body": "Simple match:\n\n{\"query\": {\"match\": {\"message\": \"error\"}}}\n\nBoolean query (AND/OR):\n\n{\n \"query\": {\n \"bool\": {\n \"must\": [\n {\"match\": {\"message\": \"error\"}},\n {\"match\": {\"service.name\": \"checkout\"}}\n ],\n \"must_not\": [\n {\"match\": {\"message\": \"healthcheck\"}}\n ]\n }\n },\n \"sort\": [{\"@timestamp\": \"desc\"}],\n \"size\": 200\n}\n\nTime range filter:\n\n{\n \"query\": {\n \"bool\": {\n \"must\": [{\"match\": {\"message\": \"timeout\"}}],\n \"filter\": [\n {\"range\": {\"@timestamp\": {\"gte\": \"now-30m\", \"lte\": \"now\"}}}\n ]\n }\n }\n}\n\nWildcard / regex:\n\n{\"query\": {\"regexp\": {\"message\": \"error.*timeout\"}}}\n\nCommon patterns:\n\nErrors in service: {\"query\":{\"bool\":{\"must\":[{\"match\":{\"message\":\"error\"}},{\"match\":{\"service.name\":\"checkout\"}}]}}}\nHTTP 5xx: {\"query\":{\"range\":{\"http.status_code\":{\"gte\":500}}}}\nAggregate by field: Use \"aggs\" — but prefer simple queries for agent use" }, { "title": "CloudWatch Filter Patterns", "body": "Simple text match:\n\n\"ERROR\" # contains ERROR\n\"ERROR\" \"checkout\" # contains ERROR AND checkout\n\nJSON filter patterns:\n\n{ $.level = \"error\" } # JSON field match\n{ $.statusCode >= 500 } # numeric comparison\n{ $.duration > 5000 } # duration threshold\n{ $.level = \"error\" && $.service = \"checkout\" } # compound\n\nNegation and wildcards:\n\n?\"ERROR\" ?\"timeout\" # ERROR OR timeout (any term)\n-\"healthcheck\" # does NOT contain (use with other terms)\n\nCommon patterns:\n\nErrors: \"ERROR\"\nErrors in service: { $.level = \"error\" && $.service = \"checkout\" }\nHTTP 5xx: { $.statusCode >= 500 }\nExceptions: \"Exception\" \"at \"" }, { "title": "Output Format", "body": "When presenting search results, use this structure:\n\n## Log Search Results\n\n**Backend:** Loki | **Query:** `{app=\"checkout\"} |= \"error\"`\n**Time range:** Last 30 minutes | **Results:** 47 entries\n\n### Error Summary\n\n| Error Type | Count | First Seen | Last Seen | Service |\n|-----------|-------|------------|-----------|---------|\n| NullPointerException | 23 | 14:02:31 | 14:28:45 | checkout |\n| ConnectionTimeout | 18 | 14:05:12 | 14:29:01 | checkout → db |\n| HTTP 503 | 6 | 14:06:00 | 14:27:33 | checkout → payment |\n\n### Root Cause Analysis\n\n1. **14:02:31** — First `NullPointerException` in checkout service...\n2. **14:05:12** — Database connection timeouts begin...\n\n### Recommended Actions\n\n- [ ] Check database connection pool settings\n- [ ] Review recent deployments to checkout service\n\n---\n*Powered by Anvil AI 🤿*" }, { "title": "Incident Triage", "body": "Check backends → search for errors in affected service → search upstream/downstream services → correlate → build timeline → recommend actions." }, { "title": "Performance Investigation", "body": "Search for slow requests (duration > 5s) → identify common patterns → check for database slow queries → check for external service timeouts." }, { "title": "Deployment Verification", "body": "Search for errors in the deployed service since deploy time → compare error rate with pre-deploy period → flag new error types." }, { "title": "Limitations", "body": "Read-only: This skill can only search and read logs. It cannot delete, modify, or create log entries.\nOutput size: Default limit is 200 entries. Log output is pre-filtered to reduce token consumption. For larger investigations, use multiple targeted queries rather than one broad query.\nNetwork access: Log backends must be reachable from the machine running OpenClaw.\nNo streaming aggregation: For complex aggregations (percentiles, rates), consider using your backend's native UI (Grafana, Kibana, CloudWatch Insights)." }, { "title": "Troubleshooting", "body": "ErrorCauseFix\"No backends configured\"No env vars setSet LOKI_ADDR, ELASTICSEARCH_URL, or configure AWS CLI\"logcli not found\"logcli not installedInstall from https://grafana.com/docs/loki/latest/tools/logcli/\"aws: command not found\"AWS CLI not installedInstall from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html\"curl: command not found\"curl not installedapt install curl or brew install curl\"jq: command not found\"jq not installedapt install jq or brew install jq\"connection refused\"Backend unreachableCheck URL, VPN, firewall rules\"401 Unauthorized\"Bad credentialsCheck LOKI_TOKEN, ELASTICSEARCH_TOKEN, or AWS credentials\n\nPowered by Anvil AI 🤿" } ], "body": "Log Dive — Unified Log Search 🤿\n\nSearch logs across Loki, Elasticsearch/OpenSearch, and AWS CloudWatch from a single interface. Ask in plain English; the skill translates to the right query language.\n\n⚠️ Sensitive Data Warning: Logs frequently contain PII, secrets, tokens, passwords, and other sensitive data. Never cache, store, or repeat raw log content beyond the current conversation. Treat all log output as confidential.\n\nActivation\n\nThis skill activates when the user mentions:\n\n\"search logs\", \"find in logs\", \"log search\", \"check the logs\"\n\"Loki\", \"LogQL\", \"logcli\"\n\"Elasticsearch logs\", \"Kibana\", \"OpenSearch\"\n\"CloudWatch logs\", \"AWS logs\", \"log groups\"\n\"error logs\", \"find errors\", \"what happened in [service]\"\n\"tail logs\", \"follow logs\", \"live logs\"\n\"log backends\", \"which log sources\", \"log indices\", \"log labels\"\nIncident triage involving log analysis\n\"log-dive\" explicitly\nPermissions\npermissions:\n exec: true # Required to run backend scripts\n read: true # Read script files\n write: false # Never writes files — logs may contain secrets\n network: true # Queries remote log backends\n\nExample Prompts\n\"Find error logs from the checkout service in the last 30 minutes\"\n\"Search for timeout exceptions across all services\"\n\"What log backends do I have configured?\"\n\"List available log indices in Elasticsearch\"\n\"Show me the labels available in Loki\"\n\"Tail the payment-service logs\"\n\"Find all 5xx errors in CloudWatch for api-gateway\"\n\"Correlate errors between user-service and payment-service\"\n\"What happened in production between 2pm and 3pm today?\"\nBackend Configuration\n\nEach backend uses environment variables. Users may have one, two, or all three configured.\n\nLoki\nVariable\tRequired\tDescription\nLOKI_ADDR\tYes\tLoki server URL (e.g., http://loki.internal:3100)\nLOKI_TOKEN\tNo\tBearer token for authentication\nLOKI_TENANT_ID\tNo\tMulti-tenant header (X-Scope-OrgID)\nElasticsearch / OpenSearch\nVariable\tRequired\tDescription\nELASTICSEARCH_URL\tYes\tBase URL (e.g., https://es.internal:9200)\nELASTICSEARCH_TOKEN\tNo\tBasic or Bearer for auth\nAWS CloudWatch Logs\nVariable\tRequired\tDescription\nAWS_PROFILE or AWS_ACCESS_KEY_ID\tYes\tStandard AWS credentials\nAWS_REGION\tYes\tAWS region for CloudWatch\nAgent Workflow\n\nFollow this sequence:\n\nStep 1: Check Backends\n\nRun the backends check to see what's configured:\n\nbash /scripts/log-dive.sh backends\n\n\nParse the JSON output. If no backends are configured, tell the user which environment variables to set.\n\nStep 2: Translate the User's Query\n\nThis is the critical step. Convert the user's natural language request into the appropriate backend-specific query. Use the query language reference below.\n\nFor ALL backends, pass the query through the dispatcher:\n\n# Search across all configured backends\nbash /scripts/log-dive.sh search --query '' [OPTIONS]\n\n# Search a specific backend\nbash /scripts/log-dive.sh search --backend loki --query '{app=\"checkout\"} |= \"error\"' --since 30m --limit 200\n\nbash /scripts/log-dive.sh search --backend elasticsearch --query '{\"query\":{\"bool\":{\"must\":[{\"match\":{\"message\":\"error\"}},{\"match\":{\"service\":\"checkout\"}}]}}}' --index 'app-logs-*' --since 30m --limit 200\n\nbash /scripts/log-dive.sh search --backend cloudwatch --query '\"ERROR\" \"checkout\"' --log-group '/ecs/checkout-service' --since 30m --limit 200\n\nStep 3: List Available Targets\n\nBefore searching, you may need to discover what's available:\n\n# Loki: list labels and label values\nbash /scripts/log-dive.sh labels --backend loki\nbash /scripts/log-dive.sh labels --backend loki --label app\n\n# Elasticsearch: list indices\nbash /scripts/log-dive.sh indices --backend elasticsearch\n\n# CloudWatch: list log groups\nbash /scripts/log-dive.sh indices --backend cloudwatch\n\nStep 4: Tail Logs (Live Follow)\nbash /scripts/log-dive.sh tail --backend loki --query '{app=\"checkout\"}'\nbash /scripts/log-dive.sh tail --backend cloudwatch --log-group '/ecs/checkout-service'\n\n\nTail runs for a limited time (default 30s) and streams results.\n\nStep 5: Analyze Results\n\nAfter receiving log output, you MUST:\n\nIdentify unique error types — group similar errors, count occurrences\nFind the root cause — look for the earliest error, trace dependency chains\nCorrelate across services — if errors in service A mention service B, note the dependency\nBuild a timeline — order events chronologically\nSummarize actionably — \"The checkout service started returning 500s at 14:23 because the database connection pool was exhausted (max 10 connections, 10 in use). The pool exhaustion was triggered by a slow query in the inventory service.\"\n\nNEVER dump raw log output to the user. Always summarize, extract patterns, and present structured findings.\n\nDiscord v2 Delivery Mode (OpenClaw v2026.2.14+)\n\nWhen the conversation is happening in a Discord channel:\n\nSend a compact incident summary first (backend, query intent, top error types, root-cause hypothesis), then ask if the user wants full detail.\nKeep the first response under ~1200 characters and avoid dumping raw log lines in the first message.\nIf Discord components are available, include quick actions:\nShow Error Timeline\nShow Top Error Patterns\nRun Related Service Query\nIf components are not available, provide the same follow-ups as a numbered list.\nPrefer short follow-up chunks (<=15 lines per message) when sharing timelines or grouped findings.\nQuery Language Reference\nLogQL (Loki)\n\nLogQL has two parts: a stream selector and a filter pipeline.\n\nStream selectors:\n\n{app=\"myapp\"} # exact match\n{namespace=\"prod\", app=~\"api-.*\"} # regex match\n{app!=\"debug\"} # negative match\n\n\nFilter pipeline (chained after selector):\n\n{app=\"myapp\"} |= \"error\" # line contains \"error\"\n{app=\"myapp\"} != \"healthcheck\" # line does NOT contain\n{app=\"myapp\"} |~ \"error|warn\" # regex match on line\n{app=\"myapp\"} !~ \"DEBUG|TRACE\" # negative regex\n\n\nStructured metadata (parsed logs):\n\n{app=\"myapp\"} | json # parse JSON logs\n{app=\"myapp\"} | json | status >= 500 # filter by parsed field\n{app=\"myapp\"} | logfmt # parse logfmt\n{app=\"myapp\"} | regexp `(?P\\d+\\.\\d+\\.\\d+\\.\\d+)` # regex extract\n\n\nCommon patterns:\n\nErrors in service: {app=\"checkout\"} |= \"error\" | json | level=\"error\"\nHTTP 5xx: {app=\"api\"} | json | status >= 500\nSlow requests: {app=\"api\"} | json | duration > 5s\nStack traces: {app=\"myapp\"} |= \"Exception\" |= \"at \"\nElasticsearch Query DSL\n\nSimple match:\n\n{\"query\": {\"match\": {\"message\": \"error\"}}}\n\n\nBoolean query (AND/OR):\n\n{\n \"query\": {\n \"bool\": {\n \"must\": [\n {\"match\": {\"message\": \"error\"}},\n {\"match\": {\"service.name\": \"checkout\"}}\n ],\n \"must_not\": [\n {\"match\": {\"message\": \"healthcheck\"}}\n ]\n }\n },\n \"sort\": [{\"@timestamp\": \"desc\"}],\n \"size\": 200\n}\n\n\nTime range filter:\n\n{\n \"query\": {\n \"bool\": {\n \"must\": [{\"match\": {\"message\": \"timeout\"}}],\n \"filter\": [\n {\"range\": {\"@timestamp\": {\"gte\": \"now-30m\", \"lte\": \"now\"}}}\n ]\n }\n }\n}\n\n\nWildcard / regex:\n\n{\"query\": {\"regexp\": {\"message\": \"error.*timeout\"}}}\n\n\nCommon patterns:\n\nErrors in service: {\"query\":{\"bool\":{\"must\":[{\"match\":{\"message\":\"error\"}},{\"match\":{\"service.name\":\"checkout\"}}]}}}\nHTTP 5xx: {\"query\":{\"range\":{\"http.status_code\":{\"gte\":500}}}}\nAggregate by field: Use \"aggs\" — but prefer simple queries for agent use\nCloudWatch Filter Patterns\n\nSimple text match:\n\n\"ERROR\" # contains ERROR\n\"ERROR\" \"checkout\" # contains ERROR AND checkout\n\n\nJSON filter patterns:\n\n{ $.level = \"error\" } # JSON field match\n{ $.statusCode >= 500 } # numeric comparison\n{ $.duration > 5000 } # duration threshold\n{ $.level = \"error\" && $.service = \"checkout\" } # compound\n\n\nNegation and wildcards:\n\n?\"ERROR\" ?\"timeout\" # ERROR OR timeout (any term)\n-\"healthcheck\" # does NOT contain (use with other terms)\n\n\nCommon patterns:\n\nErrors: \"ERROR\"\nErrors in service: { $.level = \"error\" && $.service = \"checkout\" }\nHTTP 5xx: { $.statusCode >= 500 }\nExceptions: \"Exception\" \"at \"\nOutput Format\n\nWhen presenting search results, use this structure:\n\n## Log Search Results\n\n**Backend:** Loki | **Query:** `{app=\"checkout\"} |= \"error\"`\n**Time range:** Last 30 minutes | **Results:** 47 entries\n\n### Error Summary\n\n| Error Type | Count | First Seen | Last Seen | Service |\n|-----------|-------|------------|-----------|---------|\n| NullPointerException | 23 | 14:02:31 | 14:28:45 | checkout |\n| ConnectionTimeout | 18 | 14:05:12 | 14:29:01 | checkout → db |\n| HTTP 503 | 6 | 14:06:00 | 14:27:33 | checkout → payment |\n\n### Root Cause Analysis\n\n1. **14:02:31** — First `NullPointerException` in checkout service...\n2. **14:05:12** — Database connection timeouts begin...\n\n### Recommended Actions\n\n- [ ] Check database connection pool settings\n- [ ] Review recent deployments to checkout service\n\n---\n*Powered by Anvil AI 🤿*\n\nCommon Workflows\nIncident Triage\nCheck backends → search for errors in affected service → search upstream/downstream services → correlate → build timeline → recommend actions.\nPerformance Investigation\nSearch for slow requests (duration > 5s) → identify common patterns → check for database slow queries → check for external service timeouts.\nDeployment Verification\nSearch for errors in the deployed service since deploy time → compare error rate with pre-deploy period → flag new error types.\nLimitations\nRead-only: This skill can only search and read logs. It cannot delete, modify, or create log entries.\nOutput size: Default limit is 200 entries. Log output is pre-filtered to reduce token consumption. For larger investigations, use multiple targeted queries rather than one broad query.\nNetwork access: Log backends must be reachable from the machine running OpenClaw.\nNo streaming aggregation: For complex aggregations (percentiles, rates), consider using your backend's native UI (Grafana, Kibana, CloudWatch Insights).\nTroubleshooting\nError\tCause\tFix\n\"No backends configured\"\tNo env vars set\tSet LOKI_ADDR, ELASTICSEARCH_URL, or configure AWS CLI\n\"logcli not found\"\tlogcli not installed\tInstall from https://grafana.com/docs/loki/latest/tools/logcli/\n\"aws: command not found\"\tAWS CLI not installed\tInstall from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html\n\"curl: command not found\"\tcurl not installed\tapt install curl or brew install curl\n\"jq: command not found\"\tjq not installed\tapt install jq or brew install jq\n\"connection refused\"\tBackend unreachable\tCheck URL, VPN, firewall rules\n\"401 Unauthorized\"\tBad credentials\tCheck LOKI_TOKEN, ELASTICSEARCH_TOKEN, or AWS credentials\n\nPowered by Anvil AI 🤿" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/tkuehnl/log-dive", "publisherUrl": "https://clawhub.ai/tkuehnl/log-dive", "owner": "tkuehnl", "version": "0.1.3", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/log-dive", "downloadUrl": "https://openagent3.xyz/downloads/log-dive", "agentUrl": "https://openagent3.xyz/skills/log-dive/agent", "manifestUrl": "https://openagent3.xyz/skills/log-dive/agent.json", "briefUrl": "https://openagent3.xyz/skills/log-dive/agent.md" } }