search_transaction_spans

Executes a CloudWatch Logs Insights query against trace span records stored in CloudWatch Logs with the OpenTelemetry semantic-convention schema (@data_format = "AWS-OTEL-TRACE-V1"). Scope: only log records tagged `@data_format = "AWS-OTEL-TRACE-V1"` will match, so span records must follow the OpenTelemetry semantic-convention schema (e.g. `attributes.aws.local.service`, `attributes.aws.remote.operation`). If your spans are stored in some other shape or log group, pass an explicit `log_group_name` and include your own filter in `query_string`. The tool adds the `@data_format = "AWS-OTEL-TRACE-V1"` filter automatically, so you do not need to include it in `query_string`. You can override by providing your own `@data_format` reference, or take control of log-group scoping by starting `query_string` with a `SOURCE logGroups(...)` clause. Don't combine `log_group_name` with a user-supplied `SOURCE` — `log_group_name` is dropped and `log_group_name_ignored: True` appears in the response. The volume of returned logs can easily overwhelm the agent context window. Always include a limit in the query (| limit 50) or via the limit parameter. Usage: Write CloudWatch Logs Insights queries over OpenTelemetry span attributes (filter, stats, sort, limit, etc.). If source code is not accessible, consider querying with code-level attributes. ⚠️ Use CORRECT attribute names: attributes.code.file.path, attributes.code.function.name, attributes.code.line.number ``` FILTER attributes.aws.local.service = "customers-service-java" and attributes.aws.local.environment = "eks:demo/default" and attributes.aws.remote.operation="InvokeModel" | STATS sum(`attributes.gen_ai.usage.output_tokens`) as `avg_output_tokens` by `attributes.gen_ai.request.model`, `attributes.aws.local.service`,bin(1h) | DISPLAY avg_output_tokens, `attributes.gen_ai.request.model`, `attributes.aws.local.service` ``` Returns: -------- A dictionary containing the final query results, including: - status: one of 'Scheduled', 'Running', 'Complete', 'Failed', 'Cancelled', 'Polling Timeout', 'Transaction Search Not Available', 'Invalid Input'. 'Invalid Input' is returned synchronously when query_string is empty or whitespace-only. - results: A list of the actual query results if the status is Complete. - statistics: Query performance statistics - messages: Any informational messages about the query - transaction_search_status: Information about transaction search availability - log_group_name_ignored (only when true): set when log_group_name was supplied but dropped because query_string already contained a SOURCE clause. Accompanied by log_group_name_ignored_reason.. It is categorised as a Read tool in the CloudWatch Application Signals MCP Server MCP Server, which means it retrieves data without modifying state.

Add a rule in your Intercept YAML policy under the tools section for search_transaction_spans. You can allow, deny, rate-limit, or validate arguments. Then run Intercept as a proxy in front of the CloudWatch Application Signals MCP Server MCP server.

search_transaction_spans is a Read tool with low risk. Read-only tools are generally safe to allow by default.

Yes. Add a rate_limit block to the search_transaction_spans rule in your Intercept policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

Set action: deny in the Intercept policy for search_transaction_spans. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

search_transaction_spans is provided by the CloudWatch Application Signals MCP Server MCP server (awslabs.cloudwatch-applicationsignals-mcp-server). Intercept sits as a proxy in front of this server to enforce policies before tool calls reach the server.