Cluster log lines by template using the Drain algorithm and surface the top templates by volume change between two windows.
Clusters semi-structured log lines into templates using the Drain algorithm, then compares template volumes between a baseline window and a recent window to surface anomalies. The output is a top-N table of templates whose volumes shifted the most.
log_path: a single log file or directory of files. Lines may be plain text, JSON, or syslog.baseline_window: ISO interval, e.g., 2026-04-01T00:00:00/PT24H.recent_window: another ISO interval (must not overlap).top_n: defaults to 20.@timestamp, time, ts); plain: regex match common formats (2006-01-02 15:04:05, ISO 8601).message field (or the full line minus timestamp) into Drain3 (from drain3 import TemplateMiner).delta = (recent_count / recent_total) - (baseline_count / baseline_total).|delta| descending; take top_n.<*>), baseline count, recent count, delta percentage, sample line.log-anomalies.md with the top_n table, plus three "spotlight" subsections for the largest deltas (newly seen, biggest spike, biggest drop). Stdout prints the total template count and Drain's leaf-node count.
Pick three top entries and grep the log for the literal sample line; confirm the count is plausibly within 5% of Drain's reported count. Re-run the clusterer with Drain3 similarity threshold 0.4 and 0.6; the top entries should remain the same but ordering may shuffle — large reorderings indicate threshold sensitivity. If both windows have under 1000 lines total, prepend a "low corpus" warning to the report.
zcat transparently.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/log-anomaly-clusterer.
Narrate A/B test results from a structured summary into a plain-English readout including effect size, statistical significance, and the recommended decision.
Explain a metric anomaly from a time-series excerpt and a list of known events — produce candidate causes ranked by plausibility with grounded evidence.
Read-only AWS surface — list/describe EC2, S3 buckets, IAM users, and Lambda functions. Auth via STS-assumed role; no mutating tools.
Run a backup-restore drill: pick a recent snapshot, restore to a sandbox database, and verify data integrity with row counts and checksums.
Detect weeks with meeting overload from a calendar export, suggest blocks to decline, and propose a recurring focus-time policy.
Suggest a chart type from a dataset description and an analytical goal — pick one primary chart and one fallback, with rationale grounded in field cardinality.