Argus Metric Search Translator MCP Tools#
These tools help the LLM express metric aggregation intent as valid Argus metric aggregation JSON before execution.
They currently support ProcessingEventsPerFilter metrics, which describe event filter processing activity across Argus detection pipelines.
General Notes#
Use these tools when you want the LLM to prepare a valid metric aggregation request from plain-language intent.
ProcessingEventsPerFilter metrics cover annotation filters, analysis filters, and match filters.
The metric time range selects metric records by when they were submitted to the central Argus metric service.
If no metric time range is requested, the default range is from
startOfDaytonow.At least one
statistics.valuesitem is required. A request with only filters and no metric values is invalid.If the user asks to group, split, break down, or compare metrics by a descriptor key, the LLM can use
statistics.groupBy.Enum values are case-sensitive and should be kept exactly as documented.
If you want live Argus aggregation results after translation, the LLM can use the corresponding Metric REST MCP tool with the same aggregation intent.
Tool: generateProcessingEventsPerFilterMetricAggregationQuery#
Purpose
Generate an Argus aggregation query for ProcessingEventsPerFilter metric records. The result is metric aggregation JSON that can be used to calculate totals, averages, minimums, maximums, weighted averages, or sums of squares for selected metric values.
Arguments
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
ProcessingEventsPerFilter metric aggregation definition the LLM builds from the request. |
|
None |
Yes |
request Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Filters that select which metric records are included before aggregation. |
|
Empty filter with default time range |
No |
|
Aggregation configuration for selected metric values, grouping, and time bucketing. Must include at least one |
|
Empty statistics request |
Yes |
|
Whether descriptor key values should be translated for display where translation is available. |
|
|
No |
request.filter Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Include metric records for any of the specified customers, using customer ID or short name. |
|
None |
No |
|
Time range based on when metric records were submitted to the central Argus metric service. |
|
|
No |
|
Filters for ProcessingEventsPerFilter descriptor keys, such as filter ID, filter type, host, component instance, or pipeline stage. |
|
None |
No |
request.filter.timeFilter Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Start of the metric submission time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
|
End of the metric submission time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
request.filter.keyFilter Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Include metrics for any of the specified event filter IDs. |
|
None |
No |
|
Include metrics for selected event filter types. Allowed values: |
|
None |
No |
|
Include metrics from any of the specified detection pipeline host names. |
|
None |
No |
|
Include metrics from any of the specified detection pipeline component instance IDs. |
|
None |
No |
|
Include metrics from any of the specified detection pipeline stages. |
|
None |
No |
request.statistics Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Time bucketing configuration based on metric submission time. Use this for requests such as per hour, per day, or one bucket for the whole range. |
|
|
No |
|
Descriptor keys used to group the aggregation result. List order controls the grouping hierarchy. |
|
Empty list |
No |
|
Whether data excluded by group-by limits should be collected into an |
|
|
No |
|
Metric values to aggregate. At least one item is required. |
|
Empty list |
Yes |
request.statistics.timeBucket Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Bucket size as a number using |
|
|
No |
|
Unit for |
|
|
No |
request.statistics.groupBy[] Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Descriptor key used to group the aggregation result. Allowed values: |
|
None |
Yes |
|
Maximum number of top buckets returned for this group-by key. Accepted range: |
|
|
No |
request.statistics.values[] Fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Metric value to aggregate. Allowed values: |
|
None |
Yes |
|
Aggregation function to apply. Allowed values: |
|
|
No |
|
Metric value to use as the weight when |
|
None |
Required for |
Metric Values#
Value |
Meaning |
|---|---|
|
Time spent in milliseconds by filter logic while filtering events from the realtime stream. |
|
Number of events matched by the filter. |
|
Time spent in milliseconds by trigger logic on events matched by the filter. |
Usage Notes
Use
sumfor totals,avgfor arithmetic averages,minandmaxfor extremes, andwavgonly when the user asks for or needs a weighted average.When
wavgis used,weightByValuemust identify the metric value that supplies the weight.resolution = 0returns one aggregate bucket for the full selected time range unless other grouping is requested.For time bucketing, choose a resolution that produces at most
10000buckets over the selected time range.Group-by limits affect which records are included in the grouped aggregation, not only how many buckets are displayed.
The LLM should only include filters explicitly requested by the user. It should not infer filter IDs, host names, pipeline stages, timestamps, or enum values.