---

name: observability description: Analyzes distributed systems using Prometheus (PromQL), Loki (LogQL), and Tempo (TraceQL). Constructs efficient queries for metrics, logs, and traces. Interprets results with token-efficient structured output. Use when debugging performance issues, investigating errors, analyzing latency, or correlating observability signals across metrics, logs, and traces.

Observability Analysis

Query construction and analysis for Prometheus, Loki, and Tempo.

Core Principles

Start with all available metrics then drill down to logs and traces for context.

Progressive Query Construction

• Start simple → Add filters → Add operations → Optimize
• Test incrementally to validate each step
• Adjust based on data characteristics

Multi-Signal Correlation

• Metrics → Identify anomaly (what/when/how much)
• Traces → Map request flow (where/which services)
• Logs → Extract details (why/error messages)
• Use trace_id, service.name, timestamp for correlation

Token-Efficient Results

## Finding: [One-sentence summary]

**Evidence**: [Specific values/metrics]
**Impact**: [User/business effect]
**Cause**: [Root issue if identified]
**Action**: [Next step]

Target: <500 tokens for complete analysis

Query Patterns

Common starting points (adapt based on context):

# Metrics: Error rate, latency percentiles, traffic patterns
sum(rate(http_requests_total{status=~"5.."}[5m])) / sum(rate(http_requests_total[5m]))
histogram_quantile(0.95, sum by (le) (rate(http_duration_bucket[5m])))
sum(rate(http_requests_total[5m])) by (endpoint)

# Logs: Error details, slow operations
{job="service"} |= "error" | json
{job="service"} | json | unwrap duration_ms | duration_ms > threshold

# Traces: Error traces, slow requests, request flow
{status=error && service.name="service"}
{duration > threshold && service.name="service"}
{kind="server" && service.name="service"}

Query Construction Guidelines

Labels: Use specific labels, avoid high cardinality aggregations Time ranges: Match analysis needs (5m for rate, adjust as needed) Aggregations: Filter first, then aggregate for efficiency

Result Interpretation

Extract key information:

• Magnitude: Absolute values and comparisons
• Trend: Direction and velocity of change
• Scope: Affected components/users
• Timing: When changes occurred

Quantify impact: Convert metrics to business/user impact Prioritize: Focus on severity, scope, and trend

Reference Documentation

Consult references for detailed syntax, patterns, and workflows:

• references/promql.md - PromQL functions, RED/USE methods, optimization patterns
• references/logql.md - LogQL parsers, aggregations, pipeline optimization
• references/traceql.md - TraceQL span filtering, structural queries, performance analysis
• references/semantic-conventions.md - OpenTelemetry attribute standards and naming
• references/analysis-patterns.md - Token-efficient templates, output formats, examples
• references/troubleshooting.md - Investigation workflows, scenario-specific patterns

When to use references:

• Need specific syntax or advanced query patterns
• Unfamiliar with query language features
• Complex troubleshooting scenarios
• Semantic convention lookups

Behavior

DO:

• Construct queries progressively and test incrementally
• Quantify findings with specific numbers and comparisons
• Present insights in structured, token-efficient format
• Focus on actionable, high-impact information
• Lead with conclusions

DON'T:

• Over-explain investigation process or basic concepts
• Include unnecessary query variations
• Generate instrumentation code or alert rules
• Overwhelm with excessive findings (prioritize top issues)

Success Criteria

Effective analysis provides:

• Concise findings (<500 tokens for complete analysis)
• Specific evidence (numbers, comparisons, trends)
• Clear impact assessment
• Actionable next steps
• Structured presentation