OpenSearch Logs

Connect HolmesGPT to OpenSearch for centralized log analysis and historical log access.

Prerequisites

• OpenSearch cluster with Kubernetes pod logs
• API key with read access to log indices
• Network connectivity from HolmesGPT to OpenSearch

Logging Toolsets

Only one logging toolset should be enabled at a time. If you enable this toolset, disable the default kubernetes/logs toolset.

Available Log Sources:

• Kubernetes logs - Direct pod log access (enabled by default)
• Grafana Loki - Centralized logs via Loki
• OpenSearch logs - Logs from OpenSearch/Elasticsearch
• Coralogix logs - Logs via Coralogix platform
• DataDog - Logs from DataDog

💡 Choose one: Only enable one logging toolset at a time for best performance.

Configuration

Holmes CLIRobusta Helm Chart

Add the following to ~/.holmes/config.yaml, creating the file if it doesn't exist:

toolsets:
  opensearch/logs:
    enabled: true
    config:
      opensearch_url: https://opensearch.example.com:443
      index_pattern: kubernetes-*  # Pattern matching log indices
      opensearch_auth_header: "ApiKey YOUR_API_KEY"
      labels:  # Map fields to match your log structure
        pod: "kubernetes.pod_name"
        namespace: "kubernetes.namespace_name"
        timestamp: "@timestamp"
        message: "message"

  kubernetes/logs:
    enabled: false # Disable default Kubernetes logging

holmes:
  toolsets:
    opensearch/logs:
      enabled: true
      config:
        opensearch_url: https://opensearch.example.com:443
        index_pattern: kubernetes-*
        opensearch_auth_header: "ApiKey YOUR_API_KEY"
        labels:
          pod: "kubernetes.pod_name"
          namespace: "kubernetes.namespace_name"
          timestamp: "@timestamp"
          message: "message"

    kubernetes/logs:
      enabled: false # HolmesGPT's default logging mechanism MUST be disabled

Update your Helm values and run a Helm upgrade:

helm upgrade robusta robusta/robusta --values=generated_values.yaml --set clusterName=<YOUR_CLUSTER_NAME>

Validation

Test your configuration:

holmes ask "show me recent errors from the payment service"

Troubleshooting

Common Issues

• Authentication errors: Verify your API key has read access to the specified indices
• No logs found: Check that index_pattern matches your actual OpenSearch indices
• Field mapping errors: Ensure labels section maps to correct field names in your logs

Finding Your Index Pattern

# List indices to find the correct pattern
curl -X GET "https://opensearch.example.com/_cat/indices?v" \
  -H "Authorization: ApiKey YOUR_API_KEY"

Capabilities

Tool Name	Description
opensearch_fetch_logs	Fetch logs from OpenSearch for specified pods and time ranges
opensearch_search_logs	Search logs in OpenSearch using query patterns