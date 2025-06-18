In today’s fast-paced IT environment, not all incidents begin with obvious alarms. They may start as subtle, scattered signals, a missed alert, a quiet SLO breach, or a degraded service that slowly impacts users.

Designed by the NVIDIA IT team, ITMonitron is an internal tool that helps make sense of these faint signals. By combining real-time telemetry with NVIDIA NIM inference microservices and AI-driven summarization, ITMonitron transforms fragmented monitoring into unified, actionable intelligence, cutting detection time and empowering faster decisions.

The vision: From fragmented signals to unified intelligence

Enterprises are inundated with a multitude of monitoring tools, everything from application to infrastructure monitoring to correlation tooling to SaaS platforms to enterprise security monitoring. Each of these tools produces its own data, and that data often lives in silos.

The result? Slow incident detection, bloated Mean Time to Detect, Mean Time to Resolve (MTTR), and a proliferation of manual triage.

With ITMonitron, we aim to solve this fragmentation by acting as the connective tissue that links it all together, providing a unified view of system health.

Figure 1. ITMonitron architecture overview

By aggregating, correlating, and normalizing data in real time, ITMonitron empowers SREs, incident managers, and executives with a 360° view of system health, helping them detect incidents faster and respond more efficiently. The combination delivers actionable insights, and not just raw alerts.

Under the hood: Engineering the pulse

ITMonitron is a modular, Go-based platform engineered for efficient data ingestion, normalization, and summarization. The architecture is designed to integrate with a variety of observability and incident management tools for application, infrastructure, SaaS and Cloud Service Providers — enabling SRE teams to monitor and manage their systems effectively.

Key components of the platform include:

API gateway layer : Unified entry point for accessing data across multiple monitoring sources. It abstracts API complexity, ensures consistency, and optimizes caching and performance.

: Unified entry point for accessing data across multiple monitoring sources. It abstracts API complexity, ensures consistency, and optimizes caching and performance. Source connectors : Suite of purpose-built connectors for telemetry ingestion. These connectors handle retries, and data format variability, ensuring resilient data pipelines.

: Suite of purpose-built connectors for telemetry ingestion. These connectors handle retries, and data format variability, ensuring resilient data pipelines. Abstraction and orchestration layer : Normalizes, correlates, and enriches telemetry data into a consistent schema. It’ll also cache frequently accessed values, reduce noise by deduplicating and prioritizing signals, and provide an efficient pipeline for data processing.

: Normalizes, correlates, and enriches telemetry data into a consistent schema. It’ll also cache frequently accessed values, reduce noise by deduplicating and prioritizing signals, and provide an efficient pipeline for data processing. LLM-powered incident summarization : Powered by NVIDIA NIM, this layer generates high-context, concise incident reports, reducing noise and improving clarity for both technical teams and executives.

: Powered by NVIDIA NIM, this layer generates high-context, concise incident reports, reducing noise and improving clarity for both technical teams and executives. Custom dashboards : Grafana integrations provide real-time visualizations tailored to SREs and executives, facilitating rapid decision-making and efficient incident response.

: Grafana integrations provide real-time visualizations tailored to SREs and executives, facilitating rapid decision-making and efficient incident response. Scalable architecture: Built on a modular microservices framework with REST-based communication, ITMonitron ensures scalability and easy integration with new systems.

Inside ITMonitron: A scalable AI engine example

Real-Time LLM integration with NVIDIA NIM

Powered by NVIDIA NIM, this layer generates high-context, concise incident reports, reducing noise and improving clarity for both technical teams and executives. By default, we use the llama-3.1-nemotron-70b-instruct model for its balance of accuracy and performance in production workloads.

To accommodate diverse use cases and provide flexibility, ITMonitron supports multiple top-tier models via the NIM interface. Users can dynamically select from a curated set, including:

This model-agnostic design allows us to benchmark summarization quality, adapt to evolving model performance, and ensure that incident narratives remain clear, accurate, and actionable across environments.

Example Summary (Generated by NVIDIA NIM):

“Service X is experiencing degraded performance due to DNS latency. Alerts triggered across Site-A and Site-B. User impact likely on the west coast. Root cause under investigation.”



Correlated Ongoing Changes:

Site A Internet circuit migration and upgrade (CHG001) may be related to the Pan-FW down issue in Site A, although direct correlation is not explicitly confirmed.

Faulty secondary firewall replacement (CHG002) could potentially be linked to firewall-related alerts.

These concise, actionable summaries enable stakeholders to make decisions without wading through verbose alert streams or fragmented dashboards.

Smart outage validation service

Building on top of the ITMonitron platform, we recently developed an outage validation service that solves a deceptively difficult problem:

“Is this user-reported issue part of a broader outage?”

There are possible AI capabilities to approach the problem of validating user-reported issues against live infrastructure signals.

Two prominent options today include:

Function calling where the LLM parses the user’s query, identifies which function or tool to invoke (e.g., checkDatadogMetrics, queryIncidentDB, etc.), extracts the right parameters, and orchestrates a response.

Agentic AI where the LLM acts as an autonomous agent, possibly with memory, reasoning over multiple tools and steps, deciding dynamically how to validate the outage with reasoning chains, tool-chaining, and more.

While these methods are powerful and well-suited for complex workflows, we believe both are over-engineered for the narrow, well-bounded task of outage validation.

Why not Agentic AI?

Agentic systems offer flexibility, but come with significant trade-offs:

They’re slower due to multi-step reasoning. They’re harder to monitor and debug in production. They tend to hallucinate actions, especially when operating across ambiguous or weakly structured monitoring data. Most importantly, the cognitive overhead of choosing the right tools and parameters from scratch every time makes them a poor fit for a latency-sensitive and high-accuracy use case like outage detection.

Why not function calling alone?

Function calling where the LLM selects a predefined function to run is more lightweight, but still assumes:

The model can accurately classify the issue type (app vs. network vs. identity vs. Wi-Fi, etc.). It can extract and normalize parameters from messy, natural language input. It knows which function to invoke even when the issue is vague or spans multiple layers. In practice, user queries are too open-ended or context-dependent. Something like: “I’m getting timeouts trying to log into VPN from a hotel Wi-Fi in Tokyo”

…could involve networking, authentication, service availability, or even local ISP issues. Getting the LLM to choose the right diagnostic tool without overfitting or failing silently is extremely hard and often brittle.

Our philosophy: Leverage LLMs where they truly shine

Instead of making the LLM the decision-maker and tool orchestrator, we flip the approach:

We pre-curate all relevant signals by continuously ingesting and flattening outage candidate data from our monitoring sources.

We generate a real-time, summarized view of notable issues across our environment (including services, infra layers, and ongoing maintenance).

We ask the LLM to only do one task: cross-check a natural language user query against the existing outage summary to determine if the issue is likely part of a larger known incident.

This approach significantly reduces the LLM’s cognitive load. With fewer degrees of freedom and a well-scoped prompt, the LLM can perform focused reasoning, leading to higher accuracy, fewer hallucinations, and more trustworthy responses.

Structured response format

To make the output of the outage validation service machine-readable and easily consumable across different systems, we ask the LLM to return responses in a strictly structured JSON format.

{ "is_outage": true | false, "confidence": "NoConfidence" | "LowConfidence" | "HighConfidence", "reasoning": "<natural language explanation>" }

This structure allows us to:

Expose the service as a REST API that can be integrated into a variety of downstream systems (e.g., Slack bots, incident response dashboards, ticketing systems). Ensure consistent programmatic handling of the validation results, regardless of the interface. Enable automated triaging and alerting based on structured outputs (e.g., auto-assigning tickets, notifying on-call responders if is_outage: true). Log and analyze responses over time to improve model behavior and track false positives/negatives systematically.

By avoiding unstructured natural language replies, we ensure that both humans and machines can benefit from the LLM’s reasoning while maintaining clean, deterministic APIs for automation.

Prompt design: Precision by constraint

At the core of our outage validation service is a carefully engineered prompt that guides the LLM to behave like a deterministic evaluator, not a conversational assistant.

The prompt positions the model as an expert in matching user-reported issues against real-time monitoring summaries. It’s explicitly instructed to make decisions strictly based on available monitoring data and not to infer or assume beyond what’s verifiably present.

Key design principles

Strict matching rules: The LLM is only allowed to confirm an outage when there is a direct, unambiguous match between the user’s issue and the outage summary. It must match service names, locations, and identifiers exactly to declare a high-confidence result.

Clear confidence thresholds: The prompt defines what qualifies as a HighConfidence vs LowConfidence decision. This helps downstream systems and humans interpret the model’s certainty in a structured, machine-actionable way.

Normalization logic: Since user queries are free-form, the model is instructed to perform basic normalization (removing spaces, handling case insensitivity, etc.) to handle slight variations in how users refer to services (e.g., “nv bot” vs. “nvbot”).

Supported service list: Each query is scoped using a dynamic list of supported applications, which is injected into the prompt at runtime. This ensures the model only evaluates what it has monitoring visibility into and gracefully declines to guess when something falls outside that scope.

Advanced usability via Slack Bot: Outage intelligence at your fingertips

The outage validation service is now live in our Slack-based outage bot, enabling seamless interaction for both users and on-call responders. Anyone can use:

/outage-validate is Service X down? /outage-validate having trouble connecting to wifi in Finland

The bot sends the query to our REST API, runs the LLM-based validation, and instantly replies to: The user who submitted the query or the on-call incident manager, if it detects a potential outage match. This real-time feedback loop increases user trust, reduces duplicate tickets, and empowers incident teams to respond faster and smarter.

Results and what’s next

We’ve built a lightweight feedback loop directly into the outage bot using thumbs-up/down reactions. After every validation response, users can vote on whether the answer was helpful. This feedback is invaluable as it allows us to:

Continuously refine our prompts for clarity and precision.

Experiment with multiple LLMs and LRMs in production.

Measure real-world accuracy, not just theoretical evaluation scores.

Figure 2. Example IT incident response from ITMonitron

In the alpha release, we’ve already received over 100 feedback responses, and so far, we’re seeing 93% positive feedback. This early signal indicates a strong alignment between what users expect and what the model returns. We’re currently using this feedback data to:

Identify weak spots (false negatives/positives)

Run A/B evaluations between model candidates

Adapt prompt strategy to maintain performance at scale

Learnings

Building ITMonitron was as much a learning journey as it was an engineering challenge. Here are some of the critical takeaways from our development process:

Alert noise reduction isn’t optional. It’s foundational.

Not all alerts are equal, and not every incident deserves attention. One of the most important learnings was that high-fidelity summarization starts with disciplined telemetry hygiene. Abstraction is power, but only with guardrails.

Normalizing data across disparate platforms is complex. Learning was that while aggressive abstraction improves ITMonitron’s API usability, it must be balanced with the need to expose source-specific details for advanced use cases. Prompt Engineering is real.

Executive summaries that drive decisions need more than just language fluency. They require structured context, domain-specific logic, and targeted prompting. None of which come “out of the box.” We learned that prompt engineering and contextual enrichment are critical skills for production LLM systems. Outage validation demands precise scope and constraints.

Successfully validating outages with LLMs requires tightly scoped prompts and well-defined matching rules to avoid hallucinations and false positives. Narrowing the LLM’s task to cross-checking user queries against curated outage summaries dramatically improves accuracy and reliability. Real-time user feedback loops improve model trust.

Incorporating user feedback directly into the outage validation bot helped rapidly identify edge cases, proving invaluable for continuous improvement and fostering user confidence in AI-driven validation.

Measuring what matters

To quantify ITMonitron’s impact, we continuously track these core metrics:

Dependency coverage: Ensuring 100% monitoring visibility across critical systems

Mean Time to Detect (MTTD): Targeting a 30% reduction in MTTD via intelligent correlation

Signal-to-Noise reduction ratio: Increasing monitoring-based detection through continuous tuning.

Looking ahead

As we look ahead, the goal is to not only reduce MTTR but to predict and prevent outages before they happen. ITMonitron represents our commitment to combining intelligent systems with operational excellence. Upcoming features include:

Confidence scoring for outage validation

Historical incident fusion to identify repeat patterns and precursors

Conclusion

Powered by NVIDIA NIM inference microservices, ITMonitron turns fragmented telemetry into clarity — delivering concise, actionable insights and giving SREs, incident managers, and executives a fast, unified view of system health. Additionally, with its intelligent outage validation service, ITMonitron helps quickly confirm whether user-reported issues are part of broader incidents, reducing noise and enabling faster, more accurate responses.If you’re facing alert fatigue, siloed data, or extended MTTR, these approaches may offer a path forward.

Acknowledgments

We want to extend our deepest gratitude to the IT leadership team for their continuous support. Special thanks to Nina Mushiana for her vision and dedication in ensuring that ITMonitron’s indicators and visualizations were not only crisp and on point but also provided a clear, actionable view for users. Without their support, this initiative wouldn’t have reached its full potential.

