Alert Investigation Modes

resolve ai participates in your team's on call rotation, triaging and investigating alerts so engineers can start their shift with answers instead of pages when you enable auto investigation in the alerts configuration on team knowledge docid k7jtfppvunf 3eq9wte6 , resolve investigates alerts as they come in investigation modes are how you tell resolve how much effort to spend on each alert matching effort to the alert every alert is different, and the right amount of effort depends on the context resolve's approach is to get you to the answer you need fastest sometimes that's a full root cause analysis sometimes it's confirming which team you need to route the issue to sometimes it's a low qps blip you can safely ignore you can choose between three automation modes triage , adaptive , or investigation each produces a collaborative report in the resolve ui, and resolve posts the findings to the team's slack or ms teams alert channels so you can discuss them there too other investigation types like chat driven and incident investigations follow their own flows and are not affected by the mode you pick here not sure where to start? use adaptive it gives you a fast triage on simple alerts and a deep investigation when it matters how each mode works triage resolve follows the alert runbooks configured in resolve through knowledge, or builds one on the fly to determine impact when none are attached it summarizes the findings and pauses anyone can manually escalate to a deep investigation at any time from slack, ms teams, or the resolve ui use this for high volume, low and medium severity alerts where you just need a quick read adaptive adaptive is an intelligent configuration mode after running triage, resolve weighs the runbook (or its on the fly impact analysis when none is attached) and the team's past engagement with similar alerts to decide whether to stop or escalate to a deep investigation you can shape adaptive's decisions by writing runbooks that capture your team's criteria for when to escalate and when to stop use this for when you want resolve on every alert and want it to decide how deep to go investigation resolve runs a thorough deep investigation where a team of agents explore multiple working theories in parallel it can also propose mitigation actions docid\ rckuunq4eegbi4bgwv4h7 to address what it finds alerts configured for triage or adaptive can be escalated to a deep investigation at any time use this for critical or p0 alerts and complex migrations where you want a deep, thorough root cause analysis configuring modes configure an alert filter in your resolve ai team set the mode for each alert filter in your team's alerts configuration on the team knowledge docid k7jtfppvunf 3eq9wte6 page pick from triage , adaptive , or investigation shape adaptive's escalation behavior adaptive uses runbook guidance to decide whether to stop or escalate provide that guidance by attaching runbooks to specific alerts or adding runbook guidance to your team's docs see the knowledge setup guide docid\ udhuqkuf8efq1jzgqm4nq for more faq which mode should i use when? pick based on how much effort each alert deserves triage for high volume, low or medium severity alerts where you only want a quick read adaptive for most alerts (the recommended default) resolve runs triage first, then decides whether to escalate to a deep investigation based on the runbook and the team's past engagement with similar alerts (e g , stopping when those alerts have routinely gone stale or been ignored) investigation for alerts that always warrant a deep and thorough root cause analysis, like p0s, incidents and issues during complex releases and migrations why did my investigation stop at triage? this happens with triage and adaptive modes triage always stops after it has executed the runbook to go deeper, click continue investigation on the results of the triage adaptive stops based on the runbook and the team's past engagement with similar alerts, typically for no ops, known transient issues, or alerts that have routinely been ignored you can still escalate manually by clicking continue investigation can i manually escalate a triage to a deep investigation? yes from the triage result in slack, ms teams, or the resolve ui, click continue investigation this works regardless of the alert's configured mode if you want more detail without committing to a deep investigation, you can also ask follow up questions on the triage result without triggering one how do i shape adaptive's decision to stay at triage or escalate to a deep investigation? create a runbook that's attached to an alert, or add the guidance to your team's docs add your team's decision criteria in the runbook to direct adaptive's action, use keywords like deep investigation, rca, or /rca adaptive uses the runbook along with the team's past engagement on similar alerts to decide what to do to always run a thorough analysis with a team of agents, set the alert filter's configuration to investigation what kinds of "past engagement" does adaptive account for? adaptive looks at how the team has historically responded to similar alerts opening them in slack, ms teams, or the resolve ui asking follow up questions clicking continue investigation adaptive still runs triage on every alert when these signals are consistently absent, resolve's adaptive configuration makes an educated guess not to escalate further to a deep investigation