Log Tail → LLM Triage hero
Strongly Certified · Streaming Workflow

Log Tail → LLM Triage

Tail your logs. ERROR / FATAL / TRACEBACK lines triage on a webhook.

Tails a log file mounted into the streaming worker pod and routes ERROR / FATAL / CRITICAL / EXCEPTION / TRACEBACK lines through a small LLM that drafts a one-paragraph triage summary (root-cause hypothesis + suggested next action). Routine INFO / DEBUG drops at the conditional.

Talk to an Engineer See What It Does
≤2.5s
Line-to-webhook (p95)
Inode-aware
Logrotate-safe
Bounded mem
max_line_bytes cap
What it does

The voice loop, end-to-end.

No black box. Each step is a typed-frame node you can edit, monitor, and replace.

01

Your application appends a line to its log file. The streaming worker pod has the log directory mounted via volumeMounts.

02

streaming-file-tail polls the path with inode-change rotation handling. Each newline-terminated line becomes a TextFrame.

03

streaming-conditional matches a triage-worthy regex (case-insensitive: ERROR / FATAL / CRITICAL / EXCEPTION / TRACEBACK / PANIC / FAIL / UNHANDLED). Routine INFO / DEBUG drops at the default branch.

04

The LLM drafts a one-paragraph triage summary (root-cause hypothesis + next action). streaming-webhook-response POSTs to your incident receiver.

Capabilities

Built for production. Day Two-ready.

Streaming graph contract, observability, and cost discipline come standard. The agent ships with a full test suite that runs in CI on every node version bump.

Async tail -f

aiofiles + asyncio polling loop with operator-tunable interval. No inotify C dep — runs the same code path on Linux / macOS / Alpine streaming-worker pods.

aiofilesPollingPortable

Logrotate-safe

Inode-change detection on every poll. Compatible with both rename-and-recreate and copytruncate logrotate modes. Reopens at byte 0 of the rotated file with replay_existing for that single transition.

Inode-awareBoth modesAuto-replay

Bounded memory

max_line_bytes (default 65536) caps any single buffered line. A producer that never emits newlines triggers a one-shot ErrorFrame and the buffer resets. Memory is bounded regardless of file size or churn.

Cap-enforcedTruncate-on-overflowMemory-safe

Late-arriving files

accept_missing config polls silently until the path appears — handy for upstream services that boot after the streaming session starts. No missing-file ErrorFrame on startup.

Polling waitBoot-order safeOptional

Cost-bounded

INFO / DEBUG drops at the conditional before any LLM call. The LLM cost scales with error rate, not log volume. Default regex is conservative and operator-tunable per domain.

Default conservativeError-rate costRegex-tunable

Live span tree

Each emitted line writes a span tagged with file_path / file_inode / file_offset. Filter the canvas overlay by inode to inspect rotation transitions or by offset to find specific traces.

ADR-S14Per-lineInode filter
Built on

Real services. Your stack.

Every dependency is a registered Strongly service or a model you control. Swap any one of them in the install wizard. The graph stays intact.

Source
streaming-file-tail 1.0.0 — aiofiles + inode rotation
Volume mount
hostPath / PVC / NFS — wire log dir into the streaming-worker pod
LLM model
gpt-4o-mini default — swap any registered chat model
Sink
streaming-webhook-response — Slack / PagerDuty / ServiceNow
Five common customisations

Tune it. Don't fork it.

The marketplace template is the graph. Every customisation below is a config change or a single-node addition - never a rewrite.

Slack-format the summary

Wire streaming-text-transformer to prepend ':rotating_light: ' and bold the file path before the webhook.

Severity routing

Replace the 2-port conditional with streaming-confidence-router: FATAL / PANIC → PagerDuty page, ERROR → Slack warn, WARN → email digest.

Per-service prompt

Fork the prompt with streaming-llm-router predicating on file_path so each upstream service gets a domain-tuned triage prompt.

Aggregation digest

Replace per-event LLM with streaming-aggregator (max 10 errors / 30s window) so a single crash that emits 50 stack frames triages once, not 50 times.

Stack-trace dedup

Wire streaming-context-deduplicator hashing on the first 200 chars of the trace so a repeating crash triages once per unique signature.

Strength in Results

Production. Not pilots.

We don't leave until it runs. Talk to a forward-deployed engineer about deploying Log Tail → LLM Triage into your environment with your STT, your LLM, your TTS, your data.

Schedule a Demo