Skip to content

OpenSearch Logs

Connect HolmesGPT to OpenSearch for centralized log analysis and historical log access.

Prerequisites

  • OpenSearch cluster with Kubernetes pod logs
  • API key with read access to log indices
  • Network connectivity from HolmesGPT to OpenSearch

Logging Toolsets

Only one logging toolset should be enabled at a time. If you enable this toolset, disable the default kubernetes/logs toolset.

Available Log Sources:

💡 Choose one: Only enable one logging toolset at a time for best performance.

Configuration

Add the following to ~/.holmes/config.yaml, creating the file if it doesn't exist:

toolsets:
  opensearch/logs:
    enabled: true
    config:
      opensearch_url: https://opensearch.example.com:443
      index_pattern: kubernetes-*  # Pattern matching log indices
      opensearch_auth_header: "ApiKey YOUR_API_KEY"
      labels:  # Map fields to match your log structure
        pod: "kubernetes.pod_name"
        namespace: "kubernetes.namespace_name"
        timestamp: "@timestamp"
        message: "message"

  kubernetes/logs:
    enabled: false # Disable default Kubernetes logging
holmes:
  toolsets:
    opensearch/logs:
      enabled: true
      config:
        opensearch_url: https://opensearch.example.com:443
        index_pattern: kubernetes-*
        opensearch_auth_header: "ApiKey YOUR_API_KEY"
        labels:
          pod: "kubernetes.pod_name"
          namespace: "kubernetes.namespace_name"
          timestamp: "@timestamp"
          message: "message"

    kubernetes/logs:
      enabled: false # HolmesGPT's default logging mechanism MUST be disabled

Update your Helm values and run a Helm upgrade:

helm upgrade robusta robusta/robusta --values=generated_values.yaml --set clusterName=<YOUR_CLUSTER_NAME>

Validation

Test your configuration:

holmes ask "show me recent errors from the payment service"

Troubleshooting

Common Issues

  • Authentication errors: Verify your API key has read access to the specified indices
  • No logs found: Check that index_pattern matches your actual OpenSearch indices
  • Field mapping errors: Ensure labels section maps to correct field names in your logs

Finding Your Index Pattern

# List indices to find the correct pattern
curl -X GET "https://opensearch.example.com/_cat/indices?v" \
  -H "Authorization: ApiKey YOUR_API_KEY"

Capabilities

Tool Name Description
opensearch_fetch_logs Fetch logs from OpenSearch for specified pods and time ranges
opensearch_search_logs Search logs in OpenSearch using query patterns