Product

Automate Prometheus Alerting with AI Agents: From Page to Root Cause

Part three of our Prometheus alerting series: put an AI action layer on top of Prometheus and Alertmanager. CloudThinker agents connect read-only to the Prometheus HTTP API, pick up firing alerts, and run the PromQL an on-call would run next — scrape-target health, per-instance error and latency comparison, deploy-window correlation — then name the likely cause with evidence and propose fixes under graduated autonomy (Notify → Suggest → Approve → Autonomous), escalation intact. Includes a realistic first-findings table, sample prompts to try, and the read-only connection checklist.

·
prometheusobservabilityalertingalertmanagerpromqlaiagentcloudthinker
Cover Image for Automate Prometheus Alerting with AI Agents: From Page to Root Cause

Automate Prometheus Alerting with AI Agents: From Page to Root Cause

Ask any on-call engineer what happens after a Prometheus page and you'll get the same answer: a ritual of about ten PromQL queries, typed half-awake, in roughly the same order every time. Is the target even up? Is the error rate real or one bad instance? What does the latency histogram say? Did anything restart? Did anything deploy? The queries are not hard — that's the point. Prometheus alerting tells you a symptom crossed a threshold; the next thirty minutes of typing is how a human turns that symptom into a cause.

up{job="checkout-api"}
sum by (instance) (rate(http_requests_total{job="checkout-api",code=~"5.."}[5m]))
histogram_quantile(0.95, sum by (le) (rate(http_request_duration_seconds_bucket{job="checkout-api"}[5m])))
changes(kube_pod_container_status_restarts_total{namespace="prod"}[30m])
time() - process_start_time_seconds{job="checkout-api"} < 1800

This is part three of our Prometheus alerting series, and it covers what happens when those queries run themselves. Part one covered the rules side — symptom-based alerts, for: durations, the up == 0 blind spot, and the PromQL patterns behind alerts worth waking up for. Part two built the native automation ceiling: rule files, Alertmanager routing and inhibition, amtool silences, promtool tests — and ended on the honest limit that routing and silencing manage notifications, they do not investigate the alert.

CloudThinker agents are the layer that does. Not a Prometheus replacement — your rules, your Alertmanager config, your Grafana dashboards all stay exactly where they are. The agents connect read-only, pick up firing alerts, run the investigation your on-call would run, and propose (or, with explicit permission, apply) the fix.

Connecting: two read-only endpoints, about five minutes

CloudThinker talks to the same HTTP APIs you already use:

  • Prometheus HTTP API — the base URL of your Prometheus server (or Thanos Query / Mimir / VictoriaMetrics frontend, since they speak the same API). The agents use GET /api/v1/query, /api/v1/query_range, /api/v1/alerts, /api/v1/rules, and /api/v1/targets — all read paths.
  • Alertmanager API (optional but recommended) — the agents read GET /api/v2/alerts and /api/v2/silences to see grouping, inhibition, and silence state, so they never investigate an alert your config has already suppressed.

If your endpoints sit behind auth, you supply a bearer token or basic-auth credentials scoped however your reverse proxy allows. No exporters to install, no prometheus.yml changes, no remote-write, no admin API. Prometheus has no built-in granular authorization, which is exactly why the connection is designed to need nothing beyond query access — the Prometheus connection guide has the endpoint checklist your security review will want.

What the agents do when an alert fires

The agents poll alert state continuously. When a rule transitions to firing, the investigation starts — the same one your ritual encodes, in the first two or three minutes instead of the first thirty:

  1. Pull the alert's full context. The rule expression from /api/v1/rules, its for: duration, labels and annotations, how often this exact alert has fired in the past 30 days, and whether Alertmanager currently has it grouped with siblings or suppressed by an inhibition rule.
  2. Correlate the symptom across related series. For a latency alert, that means the error-rate counters, saturation metrics, and queue depths for the same job — plus the same metrics one hop upstream and downstream. This is where PromQL breadth matters: the agent runs the rate(), histogram_quantile(), and sum by (instance) comparisons a human would, and notices when one instance is the outlier versus all of them degrading together.
  3. Check scrape health before trusting anything. up == 0 and staleness on the relevant targets, cross-checked against /api/v1/targets. Part one made the case that scrape failure is the silent lie in most Prometheus setups; the agent treats "is this data even current?" as step zero, so you never chase a flat-lined graph that's actually a dead exporter.
  4. Compare against the last deploy window. Fresh process_start_time_seconds, container restart counters, rollout-status metrics from kube-state-metrics if present. Most incidents trace back to a change; humans check this last, agents check it early.
  5. Deliver a finding, not a forward. What fired, what the evidence shows, the most likely cause named explicitly, and a proposed remediation with a rollback note — posted where your Alertmanager receiver already points, with every query it ran attached so you can re-run them yourself.

That last clause is the difference from every webhook receiver you wired up in part two. A webhook executes the branch you wrote in advance. An agent chooses the next query based on what the previous one returned — which is the actual skill your on-call rotation is built around.

Graduated autonomy: the agent earns write access, level by level

Every action class carries an autonomy level, set per environment:

  • Notify — investigate and report. Nothing else. The default for everything, and where every team should start.
  • Suggest — propose the specific remediation with expected impact and rollback steps, then wait.
  • Approve — stage the action; execute only after a named human approves in chat.
  • Autonomous — execute and report. Reserved for reversible, well-understood actions in non-production — extending a silence on a confirmed-flappy staging alert, say — after weeks of watching the agent be right at the Approve level.

Escalation stays intact throughout. If the evidence says "real outage," the agent pages through your existing Alertmanager route — faster, with the investigation already attached. It never decides an incident isn't worth waking someone for. And every investigation, proposal, approval, and change lands in an audit trail with its evidence.

What a first pass typically finds

Alongside live alert response, the first connection runs a hygiene review of your rules and Alertmanager config — the part-one checklist, executed in minutes. Numbers below are illustrative: a composite of a mid-market environment with a few hundred rules across two or three Prometheus servers. Yours will differ.

Finding Detail Impact
Rules with no for: duration 38 rules fire on a single evaluation — the flap machine ~50–70% of pages resolve unaided
Targets down, nobody alerted 12 targets at up == 0 for 6+ days with no up/absent() rule Blind spots that look like calm
Cause-based alerts 26 rules page on CPU/memory with no user-facing symptom rule Pages without an action
Expensive alert expressions 9 rules re-aggregate high-cardinality series every 15s Rule-evaluation lag, missed fires
Stale silences 14 silences expired or matching labels that no longer exist Config drift, false confidence
Missing inhibition Node-down cascades page 20+ service alerts individually One incident, one page-storm
Cardinality growth 3 metrics added ~120K series via an unbounded label TSDB memory pressure, slow rules

The shape mirrors what parts one and two predicted: most rows are not "add more alerting," they're "your existing alerting is noisy or lying in specific, fixable ways." Each row arrives with a proposed, approval-gated fix — a for: duration here, a recording rule there, an inhibit_rules block drafted for review.

Prompts to try in your first session

CloudThinker is conversational — plain language in, cited PromQL out, so you verify rather than trust:

"HighRequestLatency on checkout-api is firing. Investigate: check scrape health on the job first, compare p95 and error rate per instance for the last hour, and look for restarts or fresh process start times in the same window. Notify only."

"Which of our alerting rules fired more than five times last week without anyone acknowledging them, and what for: duration or threshold change would quiet each one without losing real signal?"

"Audit our scrape targets: which are down or flapping right now, and which jobs have no up or absent() alert covering them at all?"

The first prompt is the one to run during your next real page. Put the agent's three-minute writeup next to what your on-call assembled by hand, query by query, and you'll know whether this belongs in the escalation path.

What the agents will not do

An AI agent pointed at your monitoring stack should raise questions. The answers:

  • Read-only by default. The connection needs query access only. Acting on the stack — posting a silence via the Alertmanager API, editing a rule file through your GitOps flow — requires you to grant that access and raise the autonomy level above Notify for that action class.
  • No silent changes. Below Autonomous, nothing changes without a named human approving in chat. Autonomous is per-action-class, per-environment — never a global switch.
  • No swallowed pages. Suppression logic remains yours — in your Alertmanager routes and inhibition rules, explicit and versioned. The agent adds context to pages; it does not eat them.
  • Nothing outside the audit trail. Every query run, finding posted, and action taken is logged with its evidence and approver.

If you built the part-two setup, keep it. Routing, grouping, inhibition, and tested rules are the deterministic layer that should stay deterministic. The agents take the layer that was never automatable before: reading the evidence and deciding what to check next.

The ritual, retired

Part one gave you rules worth firing. Part two gave you every native lever for managing the noise — and showed where the levers stop. What remains between "alert delivered" and "cause named" is the ten-query ritual, and that is precisely what an agent layer absorbs. Teams that put autonomous investigation on top of an existing Prometheus and Alertmanager setup typically cut time-to-diagnosis from tens of minutes to under five, and fix the for:-less flappers and dead scrape targets in the first week as a side effect.

Try CloudThinker free — 100 premium credits, no card required — and follow the Prometheus connection guide to watch your next firing alert arrive with the PromQL already run.