From dynatrace
Configures Dynatrace alerting lifecycle: anomaly detectors (static/adaptive/seasonal), Grail event storage, problem denoising, and workflow notifications (email, Slack, ServiceNow, webhook).
How this skill is triggered — by the user, by Claude, or both
Slash command
/dynatrace:dt-alertingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure and understand the full alerting lifecycle in Dynatrace — from anomaly
Configure and understand the full alerting lifecycle in Dynatrace — from anomaly detector setup through Grail event storage, problem grouping, and workflow notification delivery.
┌─────────────────────────────────────────────────────────────────────┐
│ Alert Sources — five categories, each fires a DAVIS_EVENT │
│ ───────────────────────────────────────────────────────────────── │
│ 1. DQL-based · Grail-scheduled server-side detector │
│ 2. Edge · OneAgent on monitored host or process │
│ 3. Pipeline · OpenPipeline ingest-stream filter matcher │
│ 4. Synthetic · Worldwide synthetic checker node │
│ 5. External · Events API, Workflow, or OneAgent local ingest │
└──────────────────────────────┬──────────────────────────────────────┘
│ DAVIS_EVENT created per trigger per entity
▼
┌─────────────────────────────────────┐
│ Event stored in Grail │ Persisted and queryable via DQL.
└──────────────────┬──────────────────┘ One event per trigger per entity.
│ correlated by root-cause and impact graph
▼
┌─────────────────────────────────────┐
│ Problem (Denoising) │ Events sharing the same root-cause
└──────────────────┬──────────────────┘ and impact graph → one Problem.
│ problem event triggers workflow
▼
┌─────────────────────────────────────┐
│ Workflow Notification │ Filters problems and routes to
└─────────────────────────────────────┘ email, Slack, ServiceNow, webhook.
First step for any alerting setup request — Before recommending a specific
detector or model, load references/anomaly-detectors.md and use its category
and model decision guide to identify which detector category (DQL-based, Edge,
Pipeline, Synthetic, External) and which model (Static, Adaptive, Seasonal)
best fits the user's use-case. Only proceed with configuration guidance once
the right detector type has been established.
Consolidate, don't multiply — When a user asks to alert on multiple
entities of the same kind (e.g. "alert on services A, B, and C"), always
recommend a single combined detector rather than one detector per entity.
Use by: { <dimension> } in the DQL timeseries call to split results per
entity, and a single filter: clause to scope to the relevant entities.
Pair the combined detector with a single dt.alert_group tag shared
across all alert conditions and the corresponding workflow notification filter.
This keeps the number of detector configs small, ensures consistent routing,
and makes the workflow notification channel reusable for future entities added
to the same group.
Example for three services — one detector, one workflow:
timeseries avg(dt.service.request.response_time),
by: { dt.smartscape.service },
filter: { in(dt.smartscape.service, {toSmartscapeId("SERVICE-0000000000000001"), toSmartscapeId("SERVICE-0000000000000002"), toSmartscapeId("SERVICE-0000000000000003")}) }
Set dt.alert_group: "checkout-team" in the detector's event properties, then
filter the notification workflow on matchesPhrase(dt.alert_group, "checkout-team").
If a new service must be covered, add it to the single filter: list — no new
detector or workflow rule needed.
| User Request | Action | Reference |
|---|---|---|
| "how to alert on ...", "create an alert on ...", "create anomaly detector", "set up alerting", "configure alert rule" | Explain detector categories and variants, guide through model selection | anomaly-detectors.md |
| "what kinds of anomaly detectors", "edge alert", "pipeline alert", "synthetic alert", "OneAgent alert" | Explain the five alert source categories and their trade-offs | anomaly-detectors.md |
| "static vs adaptive", "which detector model", "seasonal detector" | Compare models, apply decision guide | anomaly-detectors.md |
| "query alert history", "which alerts fired", "Davis events in Grail" | Query dt.davis.events in Grail via fetch dt.davis.events | davis-events.md |
| "why did alerts merge", "problem grouping", "denoising" | Do NOT explain merging rules here — load dt-obs-problems and refer to problem-merging.md for the full merge logic | dt-obs-problems/references/problem-merging.md |
| "send Slack notification", "email on problem", "ServiceNow ticket", "notify on alert" | Explain problem-triggered workflow setup | workflow-notifications.md |
| "alert storm", "too many notifications", "reduce noise" | Filtering strategy, denoising, sensitivity tuning | workflow-notifications.md + anomaly-detectors.md |
Analyzing existing problems — If the user wants to query or investigate active/closed problems (root cause, impact, trending), load
dt-obs-problemsinstead. This skill covers configuration and flow, not problem query analytics.
Detector health monitoring — If the user asks whether detectors are running or failing, load
dt-platform(ANALYZER_EXECUTION_EVENT, ANOMALY_DETECTOR_STATUS_EVENT). This skill covers setup, not operational health.
dt.davis.eventsdt-dql-essentials before writing DQL queries| # | Reference | Content |
|---|---|---|
| 1 | anomaly-detectors.md | Detector types, model selection, configuration, best practices |
| 2 | davis-events.md | Davis event storage in Grail, key fields, DQL query patterns |
| 3 | workflow-notifications.md | Problem-triggered workflows, filtering, notification channels |
Five fundamental categories of anomaly detectors, distinguished by where detection runs and how the alert event reaches Dynatrace:
| # | Category | Detection runs on | Latency | Alert logic owner |
|---|---|---|---|---|
| 1 | DQL-based | Grail (server-side, scheduled) | Minutes | Dynatrace |
| 2 | Edge | OneAgent on the monitored host/process | Seconds | Dynatrace (OneAgent) |
| 3 | Pipeline | OpenPipeline ingest path (in-stream) | Near-zero | Dynatrace (pipeline rule) |
| 4 | Synthetic | Synthetic checker node (worldwide) | Seconds | Dynatrace (synthetic node) |
| 5 | External | Customer / external tool | Caller-defined | Customer |
See references/anomaly-detectors.md for the full breakdown of each category,
including trade-offs and configuration entry points.
| Model | Threshold | Best for |
|---|---|---|
| Static | Fixed value you define | Known hard limits (e.g. error rate > 5%) |
| Adaptive baseline | Learned from recent history | Metrics with no fixed limit but clear normal behavior |
| Seasonal baseline | Learned with time-of-day / day-of-week awareness | Traffic, request rate, or any metric with recurring patterns |
| Concept | Table | Scope |
|---|---|---|
| Davis event | fetch dt.davis.events | One record per detector trigger per entity |
| Problem | fetch dt.davis.problems | One record per correlated group of events sharing root-cause and impact |
A single problem typically contains multiple events. Querying problems gives the operational view; querying events gives the raw alert history.
For questions about why alerts merged into a problem or how Davis groups
events, load dt-obs-problems — the merge logic and rules are documented in
dt-obs-problems/references/problem-merging.md. This skill covers alert
configuration and flow only.
fetch dt.davis.events, from: -24h
| filter event.status == "ACTIVE"
| summarize alert_count = count(), by: {event.name, event.category, dt.smartscape_source.id}
| sort alert_count desc
| limit 20
fetch dt.davis.events, from: -24h
| summarize count = count(), by: {event.category, event.status}
| sort count desc
fetch dt.davis.problems, from: -24h
| filter not(dt.davis.is_duplicate) and event.status == "ACTIVE"
| fields event.start, display_id, event.name, event.category
| sort event.start desc
| limit 20
event.severity <= 2 problems to
on-call channels immediately; route event.severity >= 3 problems to lower-
urgency channels. Either set severity in the detector config or assign in a pipeline rule or workflow.dt.alert_group event property for routing — Assign dt.alert_group to route alerts to the right team. Either set a static value in the detector config, use dynamic assignment through DQL query result mapping or assign in a pipeline rule.by: { <dimension> } and a combined
filter: clause. Assign the same dt.alert_group value to every condition
in that detector and point the workflow notification channel at that single
group. One detector + one workflow per logical alert group scales better than
N detectors + N notification rules, and adding a new entity is a one-line
filter change rather than a full detector/workflow addition.npx claudepluginhub dynatrace/dynatrace-for-ai --plugin dynatraceAuthors low-noise log alerts on PostHog services: triage candidates, characterize baselines, draft thresholds, back-test with simulate, and ship to notification destinations.
Analyzes Monte Carlo monitor reports and recommends configuration changes to reduce alert noise. Supports metric, custom SQL, validation, and table monitors.
Automates New Relic observability workflows: manage alert policies, notification channels (email, Slack, webhook, PagerDuty), alert conditions, and list APM/browser applications via Composio MCP.