Safety check
Scans your observability stack for anything referencing a pattern — dashboards, alerts, saved searches, monitors, metric filters, Kibana rules. Two modes, picked from the env at call time: when ambient log analyzer credentials are present, the tool runs the read-only API calls in-process and returns the actual list; when creds are missing, it falls back to a paste-ready bash block. Read-only — never POST / PUT / DELETE under any circumstance.
Example
"deps on
Payment_Gateway_Timeoutin Splunk"Dependency Check — Splunk (executed). 2 alerts, 1 saved search, 3 dashboards reference the pattern:
Alerts -
Payments_Timeout_Spike— fires on rate > 50/min · open -Tenant_Impact_Watch— multi-tenant variant · openSaved searches -
Payment_Gateway_Timeout_24h_summary· openDashboards -
Payments Service — Live· open -Incident Triage — OPS· open -Tenant SLA Tracking· openRedirect or remove these consumers before muting / dropping the pattern.
More to ask
- "deps on
Retry_Backoff_Exhaustedin Datadog" - "who's using
DEBUG /healthzin Elasticsearch?" - "can I delete the
cart_validation_failedlog?"
Prerequisites
Per vendor, set the env vars below for executed mode. Missing creds → paste-ready bash + a note saying which env to set. vendor is auto-detected when exactly one log analyzer is present in the env; pass vendor=<id> when multiple are present.
| Vendor | Required env | Notes |
|---|---|---|
| Splunk | SPLUNK_HOST + SPLUNK_TOKEN |
Basic-auth and ~/.splunkrc also accepted. Web URLs derived by mapping :8089 → :8000 — override with SPLUNK_WEB_URL. |
| Datadog | DD_API_KEY + DD_APP_KEY |
DATADOG_* aliases work. Site routing via DD_SITE. |
| CloudWatch | Standard AWS credential chain | Scans metric filters + metric/composite alarms + dashboards (by name; full-body match would need per-dashboard fetch, kept out of the default path). |
| Elasticsearch | KIBANA_URL + KIBANA_API_KEY (or ELASTIC_API_KEY) |
Without a Kibana endpoint, falls back to paste-ready bash with a note — Elasticsearch alone can't surface dashboards / rules. |
Tool schema (advanced)
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
pattern |
string | yes | — | Pattern name (e.g., Payment_Gateway_Timeout). |
vendor |
string | no | auto | Vendor to scan. Auto-detected when exactly one of splunk / datadog / elasticsearch / cloudwatch is present in the env. Pass explicitly when multiple are detected. |
service |
string | no | — | Scope the scan to a service. |
severity |
string | no | — | Severity level. |
Per-vendor scan coverage:
- Splunk — saved searches + alerts (
/services/saved/searches, distinguished byalert.track); dashboards (/servicesNS/-/-/data/ui/views). - Datadog — dashboards (title + description); monitors (name + query + message).
- CloudWatch — metric filters (
logs:DescribeMetricFilters); metric + composite alarms (cloudwatch:DescribeAlarms); dashboards by name only (cloudwatch:ListDashboards). - Elasticsearch — Kibana saved-objects (
dashboard,visualization,lens) + alerting rules.
Read-only guarantee: the executed path never issues POST / PUT / DELETE to any vendor. Hard-coded constraint, enforced in the implementation.