Data Locality for AI-Driven Investigations
6 minute read
When an incident triggers an investigation, teammates need fast, reliable access to logs, metrics, traces, and events. Organizations that route telemetry through Edge Delta give their AI teammates native access to 22 MCP tools purpose-built for autonomous investigation. Organizations that keep data in third-party platforms force teammates to reach across platform boundaries with fewer tools, limited schema awareness, and higher latency.
This use case compares two architectures and explains why data locality at the AI agent’s primary platform improves investigation quality and speed.
Environment setup
| Component | Purpose |
|---|---|
| Edge Delta MCP Connector | Native access to logs, metrics, traces, events, dashboards, and pipeline configuration |
| Streaming Connectors | Ingest telemetry from Kubernetes, Docker, files, OTLP, and other sources into Edge Delta pipelines |
| Telemetry Pipelines | Process and route telemetry data through Edge Delta |
| AI Team Channel | Receive incident triggers from monitors, webhooks, or user requests |
| PagerDuty Connector | Receive incident events and manage incident lifecycle (optional) |
Data flow comparison
Architecture A: Data in a third-party platform
When telemetry is stored in a third-party platform, AI teammates must cross platform boundaries to access data. The third-party MCP connector exposes a limited tool set, typically without schema discovery, query validation, or visualization capabilities.
flowchart LR
A[Applications] --> B[Edge Delta Pipeline]
B -->|Route| C[Third-Party Platform]
D[Incident Trigger] --> E[AI Team Channel]
E --> F[OnCall AI]
F --> G[SRE Teammate]
G -->|Query via MCP| C
G -.->|Limited tools| H[No schema discovery]
G -.->|No query builder| I[Syntax errors]
G -.->|No graph tools| J[No visualization]In this architecture, the SRE teammate must construct queries without knowing what fields or values exist in the third-party platform. If a query fails, the teammate cannot validate syntax or discover the correct field names programmatically. Cross-signal correlation requires separate queries to separate platforms, increasing latency and context window usage.
Architecture B: Data in Edge Delta
When telemetry flows through Edge Delta pipelines into the Edge Delta backend, AI teammates access data through the native Edge Delta MCP connector with 22 tools spanning schema discovery, query building, search, visualization, and pipeline management.
flowchart LR
A[Applications] --> B[Edge Delta Pipeline]
B --> C[Edge Delta Backend]
D[Incident Trigger] --> E[AI Team Channel]
E --> F[OnCall AI]
F --> G[SRE Teammate]
G -->|discover_schema| C
G -->|build_cql| C
G -->|get_log_search| C
G -->|get_metric_graph| C
G -->|get_pipeline_config| CIn this architecture, the SRE teammate discovers the schema first, builds validated queries, searches across all signal types with a unified query language, renders graphs to visualize trends, and can modify pipeline configurations to remediate issues.
Investigation workflow
The following is an example of how teammates investigate an incident when data is available natively in Edge Delta. The exact behavior depends on your connector configuration, teammate instructions, and incident context.
- OnCall AI receives an incident trigger (monitor alert, PagerDuty webhook, or user request) and opens an investigation thread
- SRE calls
discover_schemawith scopelogto identify available fields, sample values for common fields likeservice.nameandseverity_text, and valid CQL syntax - SRE uses
build_cqlto construct a validated query from structured filters, avoiding syntax errors that waste tool calls - SRE searches logs with
get_log_search, then correlates with metrics usingget_metric_searchand traces usingget_trace_timeline, all using the same CQL syntax and the same facet system - SRE calls
get_log_graphandget_metric_graphto visualize error spikes and latency trends, identifying the onset time and blast radius - SRE uses
get_pipeline_configto inspect the affected pipeline and, if needed, usesadd_pipeline_sourceanddeploy_pipelineto remediate the issue - OnCall AI synthesizes findings and proposes next actions, routing low-risk changes autonomously and escalating higher-risk changes for human approval
Why data locality matters
Schema discovery enables self-orientation
The discover_schema tool returns all available field names, sample values for common fields, CQL syntax reference, and sample queries. This allows teammates to orient themselves in an unfamiliar environment without human guidance. Most third-party MCP connectors do not offer an equivalent capability, forcing the agent to guess at field names or rely on hardcoded assumptions.
Query building prevents wasted tool calls
The build_cql and validate_cql tools let teammates construct and verify queries programmatically before executing them. Without these tools, agents frequently produce malformed queries, consume tool calls on retries, and risk exhausting rate limits on third-party APIs.
Unified query language simplifies correlation
Edge Delta uses CQL across all signal types: logs, metrics, traces, patterns, and events. The same field names, the same syntax, and the same facet system work everywhere. When data lives in multiple platforms, the agent must switch between query languages (PromQL for metrics, LogQL for logs, ES|QL for Elasticsearch), increasing the chance of errors and the number of tool calls required.
Pre-aggregated data reduces context window pressure
Graph tools (get_log_graph, get_metric_graph, get_trace_graph, get_pattern_graph) return pre-aggregated time-series data that conveys trends concisely. Instead of retrieving individual log records or raw data points, the agent receives bucketed counts and aggregated values over time. This is significantly more compact than raw records, which can vary wildly in size and risk saturating the context window.
Pipeline tools enable remediation
Pipeline management tools (get_pipeline_config, add_pipeline_source, deploy_pipeline) allow teammates to move from observation to action within the same platform. When data lives in a third-party platform, the agent can observe problems but cannot remediate them without switching to a separate pipeline management interface.
Native versus third-party MCP capabilities
| Capability | Edge Delta MCP | Typical third-party MCP |
|---|---|---|
| Schema discovery | discover_schema returns fields, values, syntax | Not available |
| Query construction | build_cql builds validated queries | Manual query strings |
| Query validation | validate_cql checks syntax before execution | Not available |
| Metric name search | search_metrics with fuzzy matching | Not available |
| Log search | get_log_search with CQL | Available (platform-specific syntax) |
| Metric search | get_metric_search with CQL | Available (platform-specific syntax) |
| Trace search | get_trace_timeline with CQL | Varies |
| Event search | get_event_search with CQL | Varies |
| Log visualization | get_log_graph | Not available |
| Metric visualization | get_metric_graph | Not available |
| Trace visualization | get_trace_graph | Not available |
| Pattern visualization | get_pattern_graph | Not available |
| Log patterns | get_log_patterns with sentiment | Not available |
| Pipeline inspection | get_pipeline_config | Not available |
| Pipeline deployment | deploy_pipeline | Not available |
| Dashboard access | get_dashboard, get_all_dashboards | Available |
| Unified query language | CQL across all scopes | Different language per signal type |
When to use this pattern
This architecture is most valuable when:
- Your AI teammates are the primary responders for incidents and need fast, autonomous access to telemetry data
- Your investigation workflows require correlation across logs, metrics, traces, and events
- You want teammates to remediate issues (pipeline changes) in addition to diagnosing them
- You are consolidating from multiple observability platforms to reduce operational complexity
Data tiering to third-party platforms remains appropriate for long-term archival, compliance requirements, or specialized analytics workflows that do not require real-time AI-driven investigation.