|
| 1 | +--- |
| 2 | +name: lapp-log-analysis |
| 3 | +description: "Analyze log files using LAPP (Log Auto Pattern Pipeline). Use this skill when the user wants to investigate logs, find error patterns, diagnose issues from log files, or do any kind of log analysis. Triggers on phrases like 'analyze logs', 'check these logs', 'what's wrong in this log', 'investigate log', 'find errors in logs', or when the user provides a log file and wants to understand what happened." |
| 4 | +argument-hint: "[path to log file or description of what to investigate]" |
| 5 | +--- |
| 6 | + |
| 7 | +# LAPP Log Analysis |
| 8 | + |
| 9 | +Analyze log files by discovering patterns, labeling them semantically, and building a structured workspace that coding agents can explore. |
| 10 | + |
| 11 | +## Prerequisites |
| 12 | + |
| 13 | +- `lapp` binary must be available in PATH (or built via `make build` in the lapp repo, output at `output/lapp`) |
| 14 | +- `OPENROUTER_API_KEY` environment variable must be set (for LLM-based semantic labeling and analysis) |
| 15 | + |
| 16 | +## Workflow |
| 17 | + |
| 18 | +### Step 1: Create a workspace (required) |
| 19 | + |
| 20 | +Pick a short, descriptive topic name for the investigation. Topic names are automatically sanitized to lower-kebab-case. |
| 21 | + |
| 22 | +```bash |
| 23 | +lapp workspace create <topic> |
| 24 | +``` |
| 25 | + |
| 26 | +Example: `lapp workspace create k8s-pod-crash` |
| 27 | + |
| 28 | +This creates the directory structure at `~/.lapp/workspaces/<topic>/`. |
| 29 | + |
| 30 | +### Step 2: Ingest log files (required) |
| 31 | + |
| 32 | +Feed one or more log files into the workspace. Each `add-log` triggers a full rebuild: reads ALL files in `logs/`, runs Drain clustering + LLM semantic labeling, and regenerates the `patterns/` and `notes/` directories. |
| 33 | + |
| 34 | +From a file: |
| 35 | +```bash |
| 36 | +lapp workspace add-log --topic <topic> <logfile> |
| 37 | +``` |
| 38 | + |
| 39 | +From stdin (useful for piping from kubectl, docker, journalctl, etc.): |
| 40 | +```bash |
| 41 | +kubectl logs my-pod | lapp workspace add-log --topic <topic> --stdin |
| 42 | +``` |
| 43 | + |
| 44 | +You can call `add-log` multiple times to add more log files. Each call rebuilds the entire workspace from all ingested logs. |
| 45 | + |
| 46 | +To override the default LLM model: |
| 47 | +```bash |
| 48 | +lapp workspace add-log --topic <topic> <logfile> --model <model> |
| 49 | +``` |
| 50 | + |
| 51 | +### Step 3: Explore and analyze |
| 52 | + |
| 53 | +After ingestion, the workspace at `~/.lapp/workspaces/<topic>/` contains a structured breakdown of the logs. There are two ways to analyze: |
| 54 | + |
| 55 | +#### Option A: Let LAPP's built-in AI agent analyze |
| 56 | + |
| 57 | +```bash |
| 58 | +lapp workspace analyze --topic <topic> "your question here" |
| 59 | +``` |
| 60 | + |
| 61 | +The agent has filesystem tools (grep, read_file, execute) and will investigate the workspace to answer your question. |
| 62 | + |
| 63 | +#### Option B: Explore the workspace directly |
| 64 | + |
| 65 | +List all workspaces to find the directory: |
| 66 | +```bash |
| 67 | +lapp workspace list |
| 68 | +``` |
| 69 | + |
| 70 | +Then explore the workspace directory structure yourself: |
| 71 | + |
| 72 | +``` |
| 73 | +~/.lapp/workspaces/<topic>/ |
| 74 | +├── logs/ # Raw log files (as ingested) |
| 75 | +├── patterns/ # One directory per discovered pattern |
| 76 | +│ ├── <semantic-id>/ # e.g. "connection-timeout" |
| 77 | +│ │ ├── pattern.md # Template, count, description, first/last seen |
| 78 | +│ │ └── samples.log # Up to 20 representative log lines |
| 79 | +│ └── unmatched/ |
| 80 | +│ └── samples.log # Lines that didn't match any pattern |
| 81 | +├── notes/ |
| 82 | +│ ├── summary.md # Overview: file count, patterns, samples |
| 83 | +│ └── errors.md # Error patterns and error lines |
| 84 | +└── AGENTS.md # Context guide for AI agents |
| 85 | +``` |
| 86 | + |
| 87 | +Start with `notes/summary.md` for an overview, then drill into specific `patterns/<id>/` directories for details. The `errors.md` file is especially useful for quickly finding error-related patterns. |
| 88 | + |
| 89 | +This approach is ideal for coding agents (Claude Code, Codex, etc.) that can freely navigate the filesystem and form their own investigation strategy. |
| 90 | + |
| 91 | +## Tips |
| 92 | + |
| 93 | +- **Topic naming**: Use descriptive names like `api-gateway-5xx`, `auth-service-oom`, `deploy-2024-03-15`. They become directory names. |
| 94 | +- **Multiple log sources**: You can ingest logs from different sources into the same workspace. The pipeline processes all files in `logs/` together, finding cross-file patterns. |
| 95 | +- **Iterative investigation**: Add more logs and re-analyze as you narrow down the issue. The workspace rebuilds cleanly each time. |
| 96 | +- **Pattern counts**: Patterns with high counts are "normal" behavior. Focus on patterns in `errors.md` or low-count patterns that might indicate anomalies. |
0 commit comments