- Posted on
- • Artificial Intelligence
Artificial Intelligence SRE Workflows
- Author
-
-
- User
- linuxbash
- Posts by this author
- Posts by this author
-
AI-Powered SRE Workflows from the Bash Prompt
If you’ve ever stared at a sea of logs at 2 a.m., hopping across dashboards while a pager screams, you know the real bottleneck in incident response isn’t data—it’s time-to-insight. This post shows how to fold Artificial Intelligence directly into your Linux Bash workflows, compressing noise into decisions without leaving the terminal you already trust.
We’ll cover why AI belongs in SRE, four practical workflows you can adopt today, and the minimal setup needed. Everything runs from Bash with simple pipes and curl, so you can pilot it in minutes.
Why AI in SRE (and why now)
Signal compression: LLMs excel at summarizing logs and proposing next steps—exactly what you need in the first 15 minutes of an incident.
Fits the CLI: You don’t need a new UI or dashboard. Stream logs, metrics, YAML, or timelines straight to AI via pipes.
Repeatable and auditable: Prompts and responses live in your shell history or repo; you can diff, review, and iterate like code.
Human-in-the-loop: AI augments judgment; it doesn’t replace it. Use it to draft summaries, runbooks, and remediations faster—and then decide.
Prerequisites: one-time install
These tools are commonly available on most distros. Pick the block for your package manager.
- Debian/Ubuntu (apt):
sudo apt update
sudo apt install -y curl jq ripgrep git
- Fedora/RHEL/CentOS (dnf):
sudo dnf install -y curl jq ripgrep git
- openSUSE (zypper):
sudo zypper refresh
sudo zypper install -y curl jq ripgrep git
You’ll also need an LLM endpoint. The examples below use the OpenAI Chat Completions API via curl for simplicity, but you can adapt the function to any compatible provider.
Set your API key:
export OPENAI_API_KEY="sk-..."
Optional environment knobs:
export AI_MODEL="gpt-4o-mini" # default model used in examples
export AI_TEMPERATURE="0" # safer, deterministic answers
export AI_MAX_TOKENS="512" # response length cap
Drop-in: a tiny Bash “ai” helper
Add this to your shell profile or ai.sh and source it. It reads context from stdin and a prompt from the first argument, then prints the model’s answer.
ai() {
local model="${AI_MODEL:-gpt-4o-mini}"
local temperature="${AI_TEMPERATURE:-0}"
local max_tokens="${AI_MAX_TOKENS:-512}"
if [ -z "$OPENAI_API_KEY" ]; then
echo "OPENAI_API_KEY is not set." >&2
return 1
fi
local prompt="$1"; shift || true
local context
context="$(cat)"
jq -n \
--arg model "$model" \
--arg temp "$temperature" \
--arg max_tokens "$max_tokens" \
--arg prompt "$prompt" \
--arg context "$context" \
'{
model: $model,
temperature: ($temp|tonumber),
max_tokens: ($max_tokens|tonumber),
messages: [
{role: "system", content: "You are a Linux SRE assistant. Provide concise, step-by-step, safe guidance. Prefer idempotent commands. Never propose destructive actions without explicit warnings."},
{role: "user", content: ($prompt + "\n\nContext:\n" + $context)}
]
}' | \
curl -sS https://api.openai.com/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d @- | jq -r '.choices[0].message.content'
}
Optional: a tiny redactor for secrets before sending context:
mask_secrets() {
sed -E 's/(pass(word)?|token|secret|apikey|auth)=\S+/\1=REDACTED/gi'
}
Usage example:
journalctl -u myapp --since -15m | mask_secrets | ai "Summarize likely root cause and list the next 3 safe diagnostic steps."
1) Lightning triage: turn raw logs into next steps
Problem: Incidents start with too much text and not enough direction.
Approach: Pipe the last chunk of logs into ai with a clear ask: probable cause, confidence, and the top three diagnostics.
Example:
journalctl -u payments.service --since -15m \
| rg -v "healthcheck|liveness" \
| tail -n 800 \
| ai "From these logs, infer the most likely root cause. Provide:
- 1-sentence summary
- Top 3 next diagnostic commands (safe/idempotent)
- Any obvious rollback or traffic-routing suggestions."
What you’ll get: a concise summary and a short, actionable checklist that your on-call can copy/paste. Use it to direct the first 10 minutes of response rather than guess.
Tips:
Filter noise first (e.g., health checks) with
rg -v.Keep context tight (last 500–1,000 lines) for faster, cheaper results.
Ask for commands to be safe and idempotent.
2) AI-aware runbooks that adapt to the host
Problem: Stale static runbooks don’t match today’s host state.
Approach: Gather live context (OS/kernels, disk/mem, top offenders, ports), then ask the AI to tailor a minimal, reversible plan.
Collector + runbook draft:
(
echo "# Host context"
echo "Hostname: $(hostname)"
echo "Uname: $(uname -a)"
echo "Uptime: $(uptime -p)"
echo; echo "Disk usage:"; df -h
echo; echo "Memory:"; free -m
echo; echo "Top CPU:"; ps -eo pcpu,pid,comm --sort=-pcpu | head -n 10
echo; echo "Top MEM:"; ps -eo pmem,pid,comm --sort=-pmem | head -n 10
echo; echo "Open TCP:"; ss -lntp | head -n 50
) | mask_secrets | ai "Given this host context, propose a minimal, idempotent runbook to diagnose high 5xx errors in nginx.
Output sections: Hypotheses, Verifications (commands), Low-risk Mitigations, Rollback."
What you’ll get: a focused checklist that fits your host’s reality, not a generic wiki page.
3) Automatic postmortem timeline from raw events
Problem: Writing timelines steals hours after an incident.
Approach: Harvest recent events from system logs and app logs, then ask AI to normalize into a Markdown postmortem with Impact, Timeline, and Follow-ups.
Example (adjust paths/services to taste):
{
echo "=== journalctl (last 60m) ==="
journalctl --since -60m -p 3..7 -o short-iso | tail -n 1000
echo
echo "=== nginx error.log (last 60m) ==="
awk -v d="$(date -u -d '60 minutes ago' '+%Y/%m/%d %H:%M:%S')" \
'$0 >= d' /var/log/nginx/error.log 2>/dev/null | tail -n 1000
} | mask_secrets | ai "Create a concise post-incident report in Markdown with sections:
- Summary (what, impact, duration)
- Root Cause (most plausible, with caveats)
- Timeline (UTC, deduplicated, 10–20 key points)
- Immediate Remediation
- Preventative Actions (ranked)
Cite log lines minimally where needed."
What you’ll get: a first draft that a human can quickly edit rather than author from scratch.
4) Explain and tune alert rules before they page
Problem: Noisy alerts hide real incidents.
Approach: Feed your alert rule YAML (e.g., Prometheus) to the model and ask it to explain the logic in plain language, then suggest safer thresholds or rate-limits.
Example:
cat rules/alerts/latency.yml \
| ai "Explain these alert rules to a new on-call in plain English.
Identify high-churn alerts and propose safer thresholds or for/how modifiers, with rationale.
Output a diff-like suggestion block we can review."
What you’ll get: a readable explanation and concrete tuning ideas you can review with the team.
Real-world usage notes and guardrails
Redact first: Use
mask_secretsor custom filters to scrub tokens, emails, and PII before sending logs.Keep humans in control: Treat AI output as a draft. Don’t auto-execute returned commands.
Constrain output: Use
AI_TEMPERATURE=0andAI_MAX_TOKENS=512for crisp, focused responses.Be explicit: Tell the model what format you want (bullets, sections, diffs) and what to avoid (destructive commands).
Log the prompts: Pipe AI inputs/outputs to files in incidents to improve your prompts over time.
Troubleshooting
401/403 errors: Check
OPENAI_API_KEYand network egress.429 rate limits: Reduce frequency, shrink context, or backoff/retry.
Bad JSON or garbled responses: Validate inputs; keep logs under a few thousand lines per call.
Privacy/compliance: If cloud egress is not allowed, adapt the function to a self-hosted or on-prem model/API with similar JSON.
Conclusion and next step
AI won’t fix your infra, but it can dramatically shorten the path from “too much data” to “good first decision.” Start small:
1) Install curl, jq, ripgrep.
2) Add the ai function to your shell.
3) Pilot one workflow at your next incident (log triage or timeline).
4) Iterate on prompts and redaction as you learn.
If this helped, turn these snippets into a shared ai.sh in your team’s dotfiles or SRE toolkit, and make “AI from the Bash prompt” a standard part of your on-call playbook.