Skip to main content

Overview

When an incident fires, click Investigate to get a root-cause analysis with concrete remediation steps — generated from live evidence collected directly from your cluster.
The investigator is advisory only — it never mutates your cluster. It reads logs, events, and state to surface what likely went wrong and what to do about it.

What the investigator returns

Root cause

A concise diagnosis of what likely caused the incident.

Confidence

High / medium / low — how certain the model is about the analysis.

Suggested fix

Concrete remediation steps (e.g. “increase memory limit from 128Mi to 512Mi”).

Recommended actions

Additional steps to prevent recurrence (e.g. “add a liveness probe”).

Evidence gathered

The investigator collects evidence at the time of the investigation:
  • Affected pod’s current phase, restart count, and conditions
  • Node status and resource usage
  • Recent Kubernetes Warning events for the affected workload
  • Current container logs (recent output)
  • Previous container logs — the logs from before the last crash
Previous logs are often the most valuable signal — they capture exactly what the container output before it exited.
  • The manifests that were applied (for Niro-managed deployments)
  • Recent apply history and status

Running an investigation

Manual

1

Open the incident

Go to Alerts → click the incident you want to investigate.
2

Click Investigate

Click the Investigate button in the incident detail panel.
3

Review the analysis

The investigation completes in 10–30 seconds. Results are stored — you can re-run at any time to refresh with current evidence.

Automatic

Niro can trigger investigations automatically when incidents change state. Configure in SettingsAuto-investigation:
ModeWhen investigation runs
offNever run automatically
firingWhen an incident opens
resolvedWhen an incident resolves
bothOn both open and close
firing mode is the most useful — you get root-cause analysis the moment something breaks, before you’ve opened the dashboard.
Auto-investigations are best-effort. If the AI provider is unavailable, the auto-investigation is skipped (not retried). Manual investigation is always available.

Availability

Available on Pro and above. The Investigate button is visible on Free but disabled with an upgrade prompt.

Limitations

The analysis is probabilistic, not authoritative. Low-confidence findings should be treated as suggestions. Always verify before acting on a suggested fix.
  • If logs have been rotated or the pod deleted before investigation, evidence may be incomplete
  • Long log tails are truncated to fit the model’s context window — most recent logs are always prioritized
  • Auto-investigations are best-effort: failures are logged but never affect the incident itself

Alerts & Incidents

Incident detection, lifecycle, and notification channels.

Stream Pod Logs

View live logs directly in the dashboard.

Plans

AI investigation availability by plan.

Auto-investigation

Trigger investigations automatically when incidents fire.
Last modified on June 12, 2026