Action Usage
Which actions your agents actually call, how often they fail, and where to read the failures in the audit log.
Sidebar → Compliance → Action Usage — at /admin/action-usage on your gateway. The page ranks (tool, action) pairs by call count over a chosen time window, surfaces the failure rate next to each row, and turns a non-zero failed-count into a one-click link into the audit log scoped to exactly those failures.
The same per-call counters power both Action Usage and the Data Usage dashboard; the difference is what the table is keyed by. Data Usage keys by user and answers how much did each user push through — the DLP question. Action Usage keys by (tool, action) and answers which actions do agents reach for — the product-usage question. Two lenses, one substrate.
What the table shows
| Column | What it means |
|---|---|
| Tool · action | The MCP tool and the action name inside it. When grouped by tool, the action column collapses into a per-tool aggregate. |
| Calls | Total invocations in the window. Rendered as a proportional bar against the busiest row so the shape of the distribution is visible at a glance. |
| Failed | Count of failed invocations. When non-zero, the cell links into the audit log filtered to exactly those failures in the selected window — you read the actual upstream errors behind the rate. |
| Success rate | Percentage of calls that returned success. Coloured as a flag, not a verdict: a high-traffic action with a poor success rate is one to fix before promoting; a low-traffic action with a single failure is statistical noise. |
| Users | Distinct (pseudonymised) actors that invoked this action in the window. Sanity-check signal: a "popular" action with only one user is one team’s preference, not a fleet pattern. |
| ~Tokens | Estimated token cost across all calls in the window, derived from inbound and outbound byte counts. |
| Last seen | Most recent invocation timestamp. Useful to spot stalled or abandoned actions in long windows. |
Columns are client-side sortable. Numeric cells carry the raw value as data-sort-val so formatted display (1.2 k, 87%, ~3.4 k tokens) sorts by magnitude, not by string order. The active column advertises direction via aria-sort.
Time windows
The same six windows are exposed on the Data Usage dashboard so the two siblings share one vocabulary:
- 1h — the live read; what your agents are doing right now.
- Today — calendar day so far (server time).
- Yesterday — the full previous calendar day.
- This week — calendar week so far (Monday onward).
- Last week — the previous full Monday–Sunday window.
- All time — everything still in the 90-day retention window.
Action Usage defaults to 24h; Data Usage defaults to 1h. Different defaults because the questions differ — a usage trend reads better over a day, a DLP volume read better over the most recent hour.
Group by tool
A toggle in the toolbar collapses every row that shares a tool into a single row, summing Calls, Failed, Users, ~Tokens across all that tool’s actions. Useful for the higher-level read — which services dominate the call volume — before drilling into which action inside that service.
Failure drill-down
A non-zero failed-count cell is a link, not a number. Clicking it opens the audit log filtered to severity=red + the same time window + the same (tool, action) pair. You land on the exact failed-call rows whose errors you want to read.
Calendar windows (Yesterday, Last week) map cleanly to the audit log’s from/to date range. 1h and 30m windows get day-scoped on the audit side (the audit filter granularity stops at one day), so the linked view is a superset of the bar value — the audit's own search refines from there.
CSV export
The full window’s rows (within the top-500 cap, see below) export as a CSV from the footer link. Header columns mirror what the dashboard renders: window, group, tool, action, actions, calls, failed_calls, success_rate_pct, users, estimated_tokens, last_seen. The export is itself an audit event (same egress-discipline as Data Usage exports) — the audit log records who took it, when, with which filter.
Honest scope
The page is a bounded top-N operator view: the table caps at the 500 busiest (tool, action) pairs in the window. In real-world deployments that covers essentially all observed traffic, but when the cap is hit the footer reads top 500 by calls (more exist) so the table never silently implies this is everything. Client-side sort reorders the loaded 500; if you need to dig past it, narrow the time window or use the CSV.
Counters carry a 90-day retention; older calls fall out of the bucket store. The dashboard never claims to read further back than that.
Where it lives in the admin panel
| What | Where in the admin |
|---|---|
| Action Usage dashboard | Compliance → Action Usage |
| Time-window filter | Compliance → Action Usage → toolbar (same vocabulary as Data Usage) |
| Group-by-tool toggle | Compliance → Action Usage → toolbar |
| Failure drill-down | Click a non-zero failed-count cell → opens Compliance → Audit Log filtered to the same (tool, action) + window + severity=red |
| CSV export | Compliance → Action Usage → footer link |
| Sibling: Data Usage (per-user volume) | Compliance → Data Usage |
Related
- Compliance — the umbrella surface: audit log, PII sanitization, throughput, hooks
- Notifications — out-of-band operator alerts via Slack DM, Teams or email
- Access Model — roles, permissions, audit and the RBAC mapping
- Hooks reference — how to act on what Action Usage surfaces