Use provider elasticsearch to query Elasticsearch logs.
For all tools, scope is your Elasticsearch base URL.
Example:
scope: "http://localhost:9200"
Choose one:
ELASTICSEARCH_API_KEYELASTICSEARCH_USERNAMEandELASTICSEARCH_PASSWORD
If API key is set, it is used first.
Current terminal only:
export ELASTICSEARCH_API_KEY="your-api-key"Or:
export ELASTICSEARCH_USERNAME="your-username"
export ELASTICSEARCH_PASSWORD="your-password"Persist across terminal sessions:
cat >> ~/.bashrc <<'EOF'
export ELASTICSEARCH_API_KEY="your-api-key"
EOF
source ~/.bashrcUse your shell profile file (~/.zshrc, ~/.bashrc, or ~/.bash_profile) based on your shell.
Set ELASTICSEARCH_COMPAT_VERSION to match your server API compatibility target.
Allowed values:
789
Default is 8. If you are on Elasticsearch 8.x, set this explicitly to avoid header negotiation errors.
Via .mcp.json env (recommended):
{
"mcpServers": {
"logs-sieve": {
"command": "npx",
"args": ["-y", "mcp-server-logs-sieve@latest", "--provider", "elasticsearch"],
"env": {
"ELASTICSEARCH_COMPAT_VERSION": "8"
}
}
}
}Or via shell:
export ELASTICSEARCH_COMPAT_VERSION=8You can also persist it in your shell profile if you always target the same cluster version.
resource_typeis treated as index or index pattern when provided.trace_requestcurrently requirestrace_id.
query_logs(scope="http://localhost:9200", resource_type="logs-*", start_time="6h", severity="WARNING", text_filter="payment")
trace_request(scope="http://localhost:9200", trace_id="trace-abc", resource_type="logs-*", start_time="6h")