Grafana Cloud

Sift investigations

Sift is a powerful diagnostic assistant powered by Grafana Machine Learning that performs investigations on your infrastructure telemetry, helping you identify critical details during incidents.

Sift investigations can significantly enhance your incident resolution process within Grafana Incident. Use Sift to get valuable suggestions while working to resolve an active incident.

For more information about how Sift works and what checks are performed, refer to the Sift Machine Learning documentation.

Start a Sift investigation


Sift investigations are currently focused on Kubernetes-centered stacks, and require a cluster and namespace to perform checks. Future versions will support any monitoring environment; let us know what you’d like to see in our grafana/incident-community repo.

There are currently two main ways to leverage Sift’s capabilities in Grafana Incident:

  • Manually run a Sift investigation from an incident
  • Add a dashboard to the incident timeline

Run a Sift investigation


When a Sift investigation is triggered from within an incident, the Timerange is automatically set to the incident start time through the time the investigation is triggered.

To initiate a Sift investigation tailored to the incident, follow these steps:

  1. Navigate to Suggestions in the right sidebar of the incident timeline.
  2. Click Start Sift investigation.
  3. Add the cluster and namespace then click Start investigation.

Add dashboards to the incident timeline

When linking dashboards to an incident timeline, ensure they include cluster/namespace references. Sift extracts these references and uses them for relevant investigations tied to the incident.

Manage Sift suggestions

Once your Sift checks are complete, the results are available in the right sidebar of the Incident timeline under Suggestions.

View Sift suggestions

When a Sift check identifies relevant results, clickable links appear in the right sidebar under Suggestions.

To review detailed insights about a specific Sift check, click the view details icon on the relevant suggestion to explore the results.

Add suggestions to the timeline

You can directly incorporate important Sift suggestions into the main timeline. This helps provide context and valuable information to other stakeholders and responders.

To add a suggestion to the timeline, click the + icon next to the relevant suggestion.

Delete suggestions

If a Sift suggestion is deemed irrelevant to the incident or resolution process, you can remove it from the suggestions list.

Click the trash can next to a suggestion to remove it from the list.