feat(tools): add VictoriaLogs datasource support

[kylemclaren]

Summary

• Adds 5 new tools for querying VictoriaLogs datasources (victoriametrics-logs-datasource type)
• query_victorialogs — Execute LogsQL queries (POST /select/logsql/query)
• list_victorialogs_field_names — List available field names
• list_victorialogs_field_values — Get values for a specific field with hit counts
• query_victorialogs_hits — Log volume over time buckets
• query_victorialogs_streams — List matching log streams with hit counts

Why

The existing Loki tools fail against VictoriaLogs datasources because VictoriaLogs uses different API endpoints (/select/logsql/* vs /loki/api/v1/*), a different query language (LogsQL vs LogQL), and returns NDJSON instead of Loki's wrapped JSON format.

Implementation notes

• Follows the Loki tool patterns for client construction, transport stack, and tool registration
• Handles VictoriaLogs' NDJSON (newline-delimited JSON) response format
• Uses POST with application/x-www-form-urlencoded for the query endpoint, GET for metadata
• Applies limits via LogsQL pipe syntax (| limit N) rather than query params
• Enabled by default; can be disabled with --disable-victorialogs
• Adds VictoriaLogs service to docker-compose and datasource provisioning for integration tests

Test plan

• make lint-jsonschema passes (no unescaped commas)
• go build ./... compiles successfully
• make test-unit passes
• make test-integration with docker-compose (requires VictoriaLogs container)
• Manual testing against a Grafana instance with VictoriaLogs datasource

🤖 Generated with Claude Code

---

Note

Medium Risk
Adds a new datasource integration with multiple HTTP query paths and NDJSON parsing, and enables the tool category by default, which could affect runtime behavior and integration test/dev environments.

Overview
Adds a new VictoriaLogs tool category with five read-only tools (query_victorialogs, field name/value discovery, hits, and streams) that query Grafana’s datasource proxy using VictoriaLogs /select/logsql/* endpoints and handle NDJSON responses.

Wires the category into server startup and CLI (victorialogs enabled by default, --disable-victorialogs added), and updates docs/tool table accordingly. Extends the local dev/integration setup by provisioning a VictoriaLogs datasource and adding a victorialogs container plus integration tests for the new tools.

^{Written by Cursor Bugbot for commit 2ac6074. This will update automatically on new commits. Configure here.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[sd2k]

Hi! thanks for the contribution.

I'm endeavouring to avoid adding new tools if possible, since this MCP server's tools already adds 14-15000 tokens. Rather than adding a whole new suite of tools for VL, I think it makes sense to merge this with query_loki and the other Loki related tools. We can do so by abstracting the 'backend' away and switching based on datasource type, and renaming the tools to query_logs etc instead.

Happy to accept a PR that makes that change, if you're up for it.

[kylemclaren]

good call @sd2k -- will look into it

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

[cursor]

Hits result Data field can be nil unlike other endpoints

Medium Severity

queryVictoriaLogsHits returns resp.Hits directly without nil-checking, so Data can be nil when the response body is empty or the JSON lacks a hits key. This causes JSON serialization to produce {"data":null} instead of {"data":[]}. Every other endpoint in this file ensures a non-nil slice — queryVictoriaLogs has an explicit nil guard, queryVictoriaLogsStreams uses make(), listVictoriaLogsFieldValues uses make(), and listVictoriaLogsFieldNames uses make().

 

[cursor]

Duplicate struct types with identical fields

Low Severity

VictoriaLogsStream and VictoriaLogsFieldValue are structurally identical types — both have Value string and Hits int64 with the same JSON tags. One type could be reused for both the streams and field values endpoints, reducing unnecessary duplication. The comment on VictoriaLogsFieldValue even says it's "Used by field_names, field_values, and streams endpoints," yet streams uses its own separate copy.

Additional Locations (1)

• tools/victorialogs.go#L283-L287

 

[elee1766]

i have my own fork where i added victorialogs support for my own needs.

it was incredibly useful to be able to expose the raw underlying victorialogs endpoint for queries. query_loki is not syntax compatible with victoria logs docs, and be able to do actual queries with matching docs was very useful.

it would at least be i think useful to expose query_victorialogs tool, even if other tools are hidden behind abstraction.