Observability Analysis¶
Obsy AI Copilot can use the current page context and workspace data available to the current user to summarize observable objects, analyze anomalies, and localize likely causes. This page also covers AI Aggregation, which runs automatically through an alert strategy. Each capability expects a different input and produces a different result, so begin from the page or workflow that contains the object you want to analyze.
| Capability | Best suited for | Main result |
|---|---|---|
| Page analysis and root cause localization | Understanding what happened to the current log, trace, alert, incident, RUM object, security signal, or dashboard and identifying likely causes. | Object summary, likely causes, key evidence, impact scope, and recommended actions. |
| List and asset analysis | Finding anomalies, major distributions, and priority objects in the current list. | Key metrics, top distributions, representative samples, risks, and recommendations. |
| Database query optimization | Understanding why the current SQL or database Query is slow and how to improve it. | Query summary, execution-plan evidence, and optimization recommendations. |
| Alert aggregation and compression | Using AI Aggregation in an alert strategy to classify, deduplicate, and summarize many alerts from the same period. | Aggregation summary, grouped results, and alert-convergence recommendations. |
| Initial incident analysis | Preparing an initial assessment when an incident is generated in Incident Center. | Event context, impact scope, possible causes, and next actions. |
Page Analysis and Root Cause Localization¶
When you are viewing an anomalous object and need to understand the symptom, determine likely causes, or choose the next investigation step, open Copilot directly from that page.
The capability currently covers these types of detail pages:
- Alert events, Error Center items, and incidents;
- Log and trace details;
- Dashboards;
- RUM sessions, views, resources, actions, long tasks, and errors;
- Security signals;
- Database Query details, with SQL-specific behavior described in Database Query Optimization.
Actual availability depends on whether the current page provides analysis context to Copilot.
Analyze the Current Page¶
- Open the detail page and set the page time range to the period you want to investigate.
- Open Copilot and select the quick analysis prompt, when available, or describe the analysis goal directly.
- Add a specific concern when needed, such as the affected scope, related service, anomalous period, or expected output.
The following pages may display a contextual quick prompt:
| Current object | Quick prompt |
|---|---|
| Error log detail | Analyze this error log |
| Alert event detail | Analyze this alert |
| Dashboard | Check this dashboard |
| Error trace detail | Analyze this anomalous trace |
| RUM Error detail | Analyze this error |
The prompt disappears after you start typing, send another message, switch objects, or close the panel. It appears only once for the same object in a panel session, but you can enter the same request manually afterward.
Analysis Output¶
Copilot first reads the current object, then retrieves related evidence from the same time range when needed. For a confirmed anomaly, the result typically covers:
- The object and observed symptom;
- The most likely cause or risk direction and its confidence;
- Supporting evidence from logs, metrics, traces, or events;
- The known impact scope;
- Verification and remediation recommendations.
If the object does not show a clear anomaly, Copilot provides a summary and risk notes instead of assuming a failure. When evidence is insufficient, the result identifies what remains unconfirmed and which data is still needed.
Note
Page analysis is read-only. It does not create, update, or delete monitors, alert rules, dashboards, or other platform resources. Conclusions depend on the current page context, query range, and accessible data. Confirm any remediation action before execution.
List and Asset Analysis¶
Use list analysis when a single record cannot explain the overall condition, or when you need to find distributions, top objects, and shared characteristics across the current result set.
The capability applies to supported dashboard, log, trace, RUM, alert event, security signal, Error Center, and incident lists. The fields and objects available for analysis are determined by the filters and data scope supplied by the current page.
Analyze the Current List¶
- Set the list time range and filters so the page represents the business scope you want to analyze.
- Open Copilot and state the desired conclusion, such as "summarize anomalies in this list," "find the services with the most errors," or "identify common patterns in recent events."
- For comparisons or rankings, specify the grouping dimension, metric, or number of top results.
Copilot keeps the analysis within the current query boundary and prioritizes aggregations or a small number of representative samples instead of reading unbounded raw records.
Analysis Output¶
The result typically includes a scope overview, key counts, top distributions, representative samples, risk notes, and recommended next steps. If required fields are unavailable, a query fails, or no data is returned, Copilot preserves the known facts and identifies the evidence gap.
List analysis does not change the current filters or perform bulk actions on listed objects.
Database Query Optimization¶
Use this capability from a database Query detail page when a query is slow, scans too much data, or otherwise shows abnormal execution behavior.
Run the Optimization Analysis¶
- Open the target database Query detail page.
- Open Copilot and ask it to "analyze the current SQL," explain why the Query is slow, or provide recommendations from the execution plan.
- Include a specific target when applicable, such as reducing scanned rows, improving index usage, or lowering sort cost.
Analysis Output¶
Copilot analyzes the data already available in the current Query detail. Depending on the returned fields, the result may include:
- Database type, duration, call count, scanned rows, returned rows, and other available statistics;
- The original SQL;
- The returned execution plan and important plan fields;
- Recommendations for query structure, indexes, filters, or execution behavior.
If no execution plan is returned, Copilot shows the available SQL and identifies the missing evidence instead of inventing plan nodes or costs. This capability provides analysis and recommendations only. It does not execute a rewritten query or modify database objects.
Alert Aggregation and Compression¶
When many duplicate or related alerts occur in the same period and reading them one by one obscures the main problem, enable AI Aggregation in the alert strategy. The system classifies, deduplicates, and summarizes alerts within the configured aggregation period, then sends an aggregated notification according to the alert strategy. This capability runs automatically as part of the alert strategy; you do not start it from a Copilot conversation.
Note
AI Aggregation consumes Obsy AI points. Set the aggregation period according to alert volume and notification timeliness to manage point consumption.
The capability looks for:
- Repeated alerts from the same monitor;
- Related alerts from the same host, application, service, or dependency;
- Common categories such as cloud platforms, infrastructure, Kubernetes, middleware, databases, logs, traces, and delivery systems;
- High-frequency objects and anomalies that need attention first.
Aggregation Output¶
The system uses the aggregation period and input alert set to produce a structured result containing:
- The number of monitors that triggered and the number of alert notifications;
- Monitors, representative titles, and summaries grouped by anomaly type;
- Correlation notes for high-frequency hosts, applications, or services;
- Recommendations for duplicate alerts, related anomalies, and priority investigation targets.
Recovery events can indicate that a problem has cleared, but they are not counted as anomalous alerts and are not used as the primary basis for root cause recommendations. The aggregate result is based only on the alerts supplied for that run and does not replace validation against source metrics, logs, or traces.
Initial Incident Analysis¶
When an incident is generated in Incident Center, Copilot can prepare a structured initial assessment from the supplied event details so the assignee can understand the context and begin investigation quickly.
Initial Analysis Output¶
When enabled in the current workflow, Copilot extracts the available information and organizes it into:
- Event title, status or severity, and first occurrence time;
- Detection window, affected objects, and key metric snapshots;
- Possible causes ordered by priority;
- Immediate investigation, change review, and escalation recommendations.
The initial assessment only uses the event details supplied by the incident workflow. Missing time, severity, scope, or metric information is omitted and uncertainty is stated explicitly.