• Understand or interpret an existing alert rule.
• Confirm what signal an alert watches and at what threshold.
• Audit whether an alert is reasonably configured.
• Translate raw alert JSON into operational language.

• Create a new alert →

  signoz-creating-alerts

  .
• Diagnose why an alert fired or correlate signals around a fire window →

  signoz-investigating-alerts

  .
• Modify an existing alert → call

  signoz:signoz_update_alert

  directly.

$ARGUMENTS

1. Call

   signoz:signoz_list_alert_rules

   , paginate through every page, and find the closest name match.
2. State the interpretation in the response: "Interpreting your request as alert 'High Error Rate — Checkout' (id 42). If you meant a different one, tell me the name or id."
3. Proceed with the explanation. The user can correct after.

1. Call

   signoz:signoz_list_alert_rules

   and paginate every page —

   pagination.hasMore

   is true until the full list is walked.
2. Match by name (case-insensitive substring). If multiple match, present the candidates and ask which one (interactive) or pick the closest and flag the assumption (autonomous).

signoz:signoz_get_alert_history

Fired N times in the last 7d (last fire: <relative-time>).

signoz-investigating-alerts

• "What does this alert do?" / "Explain X" — describe what fires:

  TL;DR: Fires when

  <condition>

  for

  <scope>

  , notifies

  <channel>

  .

  <fire-frequency line>

  .

• "Is it configured correctly?" / "Audit this" / "Anything I should change?" — lead with the verdict and the top 1–3 changes, not the description of what fires:

  TL;DR: Mostly well-configured, but recommend: (1) add

  alertOnAbsent

  — currently a crashed service stays silent; (2) fix annotation template

  {{$topic}}

  →

  {{$labels.topic}}

  (won't interpolate); (3) split critical to PagerDuty (both tiers currently route to Slack).

  <fire-frequency line>

  .

• "How does X work?" / "Explain the count guard" — answer the mechanism in 1–2 sentences before any framing:

  TL;DR: The count guard is a

  having: count() > 50

  clause on query A — any 1-minute bucket with ≤50 spans is dropped before evaluation, so low-traffic minutes can't fire the alert.

• "What's the threshold?" / focused config question — state the exact thing they asked about:

  TL;DR: Threshold is 3 standard deviations (z-score), not a raw rate value. Daily seasonality means the model compares each hour against historical norms for that hour.

disabled

selectedQueryName

=

!=

IN

NOT IN

LIKE

ILIKE

CONTAINS

REGEXP

EXISTS

NOT EXISTS

IN

NOT IN

groupBy

service.name

ruleType: anomaly_rule

algorithm

seasonality

• op

  codes:

  1

  above,

  2

  below,

  3

  equal,

  4

  not equal.

• matchType

  codes:

  1

  at_least_once (any point in window),

  2

  all_the_times (entire window),

  3

  on_average (window average),

  4

  in_total (window sum),

  5

  last (most recent point).

name

target

targetUnit

targetUnit

recoveryTarget

<frequency>

<evalWindow>

at_least_once

all_the_times

signoz_list_notification_channels

notificationSettings.groupBy

renotify

usePolicy

• alertOnAbsent

  missing when the signal is critical: silent data loss (crashed service, broken instrumentation) won't trigger the alert. Always call this out for production-tier rules.

• alertOnAbsent: true

  but

  nodata

  not in

  renotify.alertStates

  : the absent-data fire pages once and then goes silent — easy to miss.
• Template variable bugs:

  {{$topic}}

  won't interpolate; the correct form is

  {{$labels.topic}}

  . Dots in label keys become underscores (

  service.name

  →

  {{$labels.service_name}}

  ).
• Multiple severity tiers but

  labels.severity

  missing on the rule — breaks label-based routing policies. Common gap.
• All tiers route to the same channel — defeats the point of graduated thresholds.
• High-cardinality

  groupBy

  (e.g.

  pod.name

  ×

  partition

  ) → notification-storm risk during cluster-wide events.
• Annotation/description text contradicts

  matchType

  (e.g. description says "for over 5 minutes" but

  matchType=at_least_once

  fires on first breach within the window).
• Alert name doesn't match the filter target (e.g. name says "checkout" but filter targets

  payments

  ) — call this out.

• Threshold calibration — appropriate for the signal? Consider service criticality and traffic.
• matchType fit —

  at_least_once

  is sensitive (catches transients);

  all_the_times

  is conservative;

  on_average

  smooths noise.
• Window vs frequency — short window +

  at_least_once

  can be noisy. Long window can delay detection.
• Multi-severity — alerts with both warning and critical thresholds enable graduated response. Single-severity alerts miss this.
• Notification routing — critical → high-urgency channels (PagerDuty); warning → low-urgency (Slack).
• Missing runbook / description — if

  annotations

  are empty or default, suggest adding context.
• Absent-data monitoring — for critical signals, recommend

  alertOnAbsent: true

  if it isn't set.
• GroupBy cardinality — high-cardinality groupBy fields can produce many independent alert series; flag potential notification storms.
• Filter completeness — for

  IN

  /

  NOT IN

  filters with explicit value lists, flag values that look out of place or missing values that seem expected.
• Fire frequency vs threshold — if Step 3 shows the alert fires many times a day (>10/day in the 7d window), the threshold is likely too tight; if it never fires and the user is asking because they expected it to, the threshold may be too loose or the query may be wrong.

• "Want me to investigate the most recent fire?" (→

  signoz-investigating-alerts

  )
• "Want me to run the underlying query to see current values?" (→

  signoz-generating-queries

  )
• "Want me to adjust the threshold or add a severity level?" (→

  signoz:signoz_update_alert

  directly — out of scope here)
• "Want me to create a related alert for [gap noticed]?" (→

  signoz-creating-alerts

  )

• Fetch before explaining. Always call

  signoz:signoz_get_alert

  . Do not base explanations on the rule name or list response alone.
• Always pull fire history. The one-line frequency summary is cheap (one MCP call) and grounds the explanation. Skip it only if the alert is disabled.
• Decode, don't dump. Translate

  op

  ,

  matchType

  , filter expressions, and query JSON into operational language. Show raw JSON only if the user asks.
• Decode every sub-query. For formula alerts, explain each builder query and the formula. Don't gloss over a formula as "error rate" — show the user what A, B, and F1 each compute.
• Anchor to the actual config. Don't speculate based on the alert name. If the name says "checkout" but the filter targets

  payments

  , call that out.
• No live queries by default. Do not run the alert's query unless the user asks. Explain is about understanding the rule, not inspecting current data.
• Paginate alert listing. Before concluding an alert does not exist, walk every page of

  signoz:signoz_list_alert_rules

  .
• SigNoz evaluation model. SigNoz uses

  evalWindow

  +

  frequency

  • matchType

    , not Prometheus-style

    for

    durations. Don't describe the evaluation model in Prometheus terms.
• Stay in scope. Investigation of a specific fire window belongs to

  signoz-investigating-alerts

  . Modifications belong to

  signoz:signoz_update_alert

  .

1. signoz:signoz_list_alert_rules

   (paginated) → finds "High Error Rate — Checkout" id 42.

2. signoz:signoz_get_alert id=42

   → traces formula (A errored spans / B total spans × 100), single critical threshold at 5%,

   op=1

   ,

   matchType=1

   , channel

   pagerduty-oncall

   .

3. signoz:signoz_get_alert_history id=42 lookback=7d

   → fired 3 times, last fire 2h ago.
4. Replies:

   TL;DR: Fires when checkout error rate (errored spans / total spans) exceeds 5% at any point in the last 5 min, pages

   pagerduty-oncall

   . Fired 3 times in the last 7d (last 2h ago).

   What it watches — traces from

   service.name = 'checkout'

   . Query A counts spans with

   hasError = true

   , query B counts all spans, F1 = A × 100 / B is the error percentage; the alert triggers on F1.

   When it fires —

   op=above

   ,

   matchType=at_least_once

   , target 5%. Checks every 1 min over the last 5 min — a single elevated minute fires it.

   Notable — no

   recoveryTarget

   (could flap near 5%); no

   alertOnAbsent

   (a checkout outage that drops traffic to zero won't trigger this rule).

5. Offers: "Want me to investigate the fire from 2h ago?"

1. signoz:signoz_get_alert id=17

   → metrics,

   system.cpu.utilization

   , two thresholds (warning 80%, critical 90%),

   matchType=3

   on_average, filter

   deployment.environment.name = 'production'

   , groupBy

   host.name

   .

2. signoz:signoz_get_alert_history id=17

   → has not fired in last 7d.
3. The user asked "is it well configured?" — the TL;DR leads with the verdict, not a generic description. Then explanation + full audit:

   TL;DR: Mostly well-configured (dual-threshold +

   on_average

   is the right call for CPU), but two gaps to fix: (1) no

   alertOnAbsent

   — a crashed agent silently stops reporting and this rule won't catch it; (2) annotations are default — a runbook URL would help on-call. Has not fired in the last 7d (could mean production is healthy or thresholds too loose).

   What it watches —

   system.cpu.utilization

   on

   deployment.environment.name = 'production'

   , grouped by

   host.name

   (fires per host).

   When it fires —

   op=above

   ,

   matchType=on_average

   , two tiers (warning 80%, critical 90%) over a 5-min window. Short spikes don't fire — smoothing is correct for CPU.

   Notable concerns — same as TL;DR fixes above; nothing else non-default.

4. Offers next steps.

1. signoz:signoz_get_alert id=88

   →

   ruleType: anomaly_rule

   ,

   algorithm=zscore

   ,

   seasonality=daily

   , target 3, metric

   http.server.request.duration

   , scope

   service.name = 'api-gateway'

   .
2. History: fired 1 time in last 7d.
3. Replies:

   TL;DR: Fires when api-gateway request latency deviates by more than 3 standard deviations (not raw latency, not a fixed value) from its learned daily pattern. Fired once in the last 7d.

   What it watches —

   http.server.request.duration

   for

   service.name = 'api-gateway'

   , evaluated as a Z-score anomaly with daily seasonality — the model learns the typical pattern for each hour of day, so peak-hour latency won't false-trigger if it matches the historical norm for that hour.

   When it fires — when |Z-score| > 3, i.e. the value is more than 3 standard deviations away from the expected pattern. Lower target → more sensitive (more noise); higher → only extreme deviations. The threshold is not in seconds or milliseconds.

4. Offers to investigate the recent fire.