|
| 1 | +# Transaction Search |
| 2 | + |
| 3 | +The AgentCore CLI automatically enables |
| 4 | +[CloudWatch Transaction Search](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search.html) |
| 5 | +as a post-deploy step whenever agents are deployed. This gives you full trace visibility for agent invocations without |
| 6 | +any manual setup. |
| 7 | + |
| 8 | +> Transaction search takes ~10 minutes to become fully active after being enabled. Traces from invocations made before |
| 9 | +> that window may not be indexed. |
| 10 | +
|
| 11 | +## What happens by default |
| 12 | + |
| 13 | +When you run `agentcore deploy` and the project contains at least one agent, the CLI performs the following steps after |
| 14 | +the CloudFormation deployment succeeds: |
| 15 | + |
| 16 | +1. **Enable Application Signals** — Calls `StartDiscovery` to create the required service-linked role (idempotent). |
| 17 | +2. **Create CloudWatch Logs resource policy** — Adds a `TransactionSearchXRayAccess` resource policy that grants X-Ray |
| 18 | + permission to write to the `aws/spans` and `/aws/application-signals/data` log groups. Skipped if the policy already |
| 19 | + exists. |
| 20 | +3. **Set trace segment destination** — Configures X-Ray to send trace segments to CloudWatch Logs (skipped if already |
| 21 | + set). |
| 22 | +4. **Set indexing to 100%** — Updates the X-Ray `Default` indexing rule to 100% probabilistic sampling so all traces are |
| 23 | + indexed. |
| 24 | + |
| 25 | +All operations are **idempotent** and safe to run on every deploy. Transaction search setup is **non-blocking** — if any |
| 26 | +step fails (e.g., due to insufficient permissions), the deploy still succeeds and a warning is logged. |
| 27 | + |
| 28 | +## Overriding defaults |
| 29 | + |
| 30 | +You can customize transaction search behavior via the global CLI config file at `~/.agentcore/config.json`. |
| 31 | + |
| 32 | +### Disable transaction search entirely |
| 33 | + |
| 34 | +```json |
| 35 | +{ |
| 36 | + "disableTransactionSearch": true |
| 37 | +} |
| 38 | +``` |
| 39 | + |
| 40 | +When disabled, the CLI skips all transaction search setup steps during deploy. |
| 41 | + |
| 42 | +### Change the indexing percentage |
| 43 | + |
| 44 | +By default, 100% of traces are indexed. To lower the sampling rate: |
| 45 | + |
| 46 | +```json |
| 47 | +{ |
| 48 | + "transactionSearchIndexPercentage": 50 |
| 49 | +} |
| 50 | +``` |
| 51 | + |
| 52 | +The value must be a number between 0 and 100. |
| 53 | + |
| 54 | +### Configuration reference |
| 55 | + |
| 56 | +| Key | Type | Default | Description | |
| 57 | +| ---------------------------------- | --------- | ------- | ----------------------------------------------- | |
| 58 | +| `disableTransactionSearch` | `boolean` | `false` | Skip transaction search setup on deploy | |
| 59 | +| `transactionSearchIndexPercentage` | `number` | `100` | X-Ray indexing rule sampling percentage (0–100) | |
| 60 | + |
| 61 | +## Required IAM permissions |
| 62 | + |
| 63 | +The following permissions are needed for the transaction search setup. If the caller lacks any of these, a warning is |
| 64 | +logged but the deploy still succeeds. |
| 65 | + |
| 66 | +- `application-signals:StartDiscovery` |
| 67 | +- `logs:DescribeResourcePolicies` |
| 68 | +- `logs:PutResourcePolicy` |
| 69 | +- `xray:GetTraceSegmentDestination` |
| 70 | +- `xray:UpdateTraceSegmentDestination` |
| 71 | +- `xray:UpdateIndexingRule` |
| 72 | + |
| 73 | +## Viewing traces |
| 74 | + |
| 75 | +After transaction search is fully active (~10 minutes), you can view traces for your deployed agents: |
| 76 | + |
| 77 | +```bash |
| 78 | +# List recent traces |
| 79 | +agentcore traces |
| 80 | + |
| 81 | +# Get a specific trace |
| 82 | +agentcore traces --trace-id <trace-id> |
| 83 | +``` |
0 commit comments