Argus Metric REST MCP Tools#
These tools let the LLM retrieve live Argus metric aggregation results from the Argus metrics API.
They currently support ProcessingEventsPerFilter metrics, which describe event filter processing activity across Argus detection pipelines.
General Notes#
Use these tools when you want the LLM to calculate live metric aggregations from Argus APIs.
The LLM should first use the Metric Search Translator MCP tools to shape and validate the aggregation request.
ProcessingEventsPerFilter metrics cover annotation filters, analysis filters, and match filters.
At least one
statistics.valuesitem is required for a meaningful aggregation.Metric aggregation responses are source-of-truth results. The LLM should explain returned metric values only, without inventing missing buckets, customers, timestamps, units, or key translations.
Tool: executeProcessingEventsPerFilterMetricAggregation#
Purpose
Execute an aggregation for ProcessingEventsPerFilter metric records. The result contains aggregated metric values for the selected filters, groupings, and time buckets.
Arguments
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
ProcessingEventsPerFilter metric aggregation definition prepared and validated from the user’s request. |
|
None |
Yes |
request Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Filters that select which metric records are included before aggregation. |
|
Empty filter with default time range |
No |
|
Aggregation configuration for selected metric values, grouping, and time bucketing. Must include at least one |
|
Empty statistics request |
Yes |
|
Whether descriptor key values should be translated for display where translation is available. |
|
|
No |
request.filter Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Include metric records for any of the specified customers, using customer ID or short name. |
|
None |
No |
|
Time range based on when metric records were submitted to the central Argus metric service. |
|
|
No |
|
Filters for ProcessingEventsPerFilter descriptor keys, such as filter ID, filter type, host, component instance, or pipeline stage. |
|
None |
No |
request.filter.timeFilter Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Start of the metric submission time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
|
End of the metric submission time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
request.filter.keyFilter Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Include metrics for any of the specified event filter IDs. |
|
None |
No |
|
Include metrics for selected event filter types. Allowed values: |
|
None |
No |
|
Include metrics from any of the specified detection pipeline host names. |
|
None |
No |
|
Include metrics from any of the specified detection pipeline component instance IDs. |
|
None |
No |
|
Include metrics from any of the specified detection pipeline stages. |
|
None |
No |
request.statistics Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Time bucketing configuration based on metric submission time. Use this for requests such as per hour, per day, or one bucket for the whole range. |
|
|
No |
|
Descriptor keys used to group the aggregation result. List order controls the grouping hierarchy. |
|
Empty list |
No |
|
Whether data excluded by group-by limits should be collected into an |
|
|
No |
|
Metric values to aggregate. At least one item is required. |
|
Empty list |
Yes |
request.statistics.timeBucket Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Bucket size as a number using |
|
|
No |
|
Unit for |
|
|
No |
request.statistics.groupBy[] Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Descriptor key used to group the aggregation result. Allowed values: |
|
None |
Yes |
|
Maximum number of top buckets returned for this group-by key. Accepted range: |
|
|
No |
request.statistics.values[] Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Metric value to aggregate. Allowed values: |
|
None |
Yes |
|
Aggregation function to apply. Allowed values: |
|
|
No |
|
Metric value to use as the weight when |
|
None |
Required for |
Metric Values#
Value |
Meaning |
|---|---|
|
Time spent in milliseconds by filter logic while filtering events from the realtime stream. |
|
Number of events matched by the filter. |
|
Time spent in milliseconds by trigger logic on events matched by the filter. |
Response Notes#
The response contains aggregated metric records.
Each item in data is one aggregate result, optionally grouped by customer, descriptor keys, and time bucket.
Important response fields:
customer: customer associated with the aggregate, if present.keys: grouping key values for the aggregate. Each key can containname, rawvalue, and optionaltranslation.metricTimestamp: timestamp for the aggregate bucket when time bucketing was requested.values: aggregated metric values, with metricname, numericvalue, and optionalunit.metricDescriptorID: descriptor identifier. It is not a user-facing metric value.
Usage Notes
The LLM should use
generateProcessingEventsPerFilterMetricAggregationQuerybefore executing the aggregation so metric values, grouping, time bucketing, and enum values are validated.Use
sumfor totals,avgfor arithmetic averages,minandmaxfor extremes, andwavgonly when the user asks for or needs a weighted average.When
wavgis used,weightByValuemust identify the metric value that supplies the weight.For time bucketing, choose a resolution that produces at most
10000buckets over the selected time range.Use
translationfor display when available, but preserve raw key values when exact identifiers matter.Do not combine or infer aggregate records that are not present in the response.