Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.devhelm.io/llms.txt

Use this file to discover all available pages before exploring further.

Inspect the event-sourced audit trail the detection engine writes for every check. See Incident Forensics for the conceptual overview.
Every forensic row carries a checkId (the same one minted by the scheduler and stamped on check results) and a policySnapshotHashHex (a content-addressed SHA-256 of the policy that was active). Those two identifiers thread a single detection decision through the whole system.

Commands

CommandDescription
devhelm forensics timeline <incident-id>Full timeline for an incident
devhelm forensics trace <check-id>Everything recorded for a single check execution
devhelm forensics snapshot <hash-hex>Fetch a policy snapshot by SHA-256 hash
devhelm forensics evaluations --monitor-id <uuid>List rule evaluations for a monitor (paginated)
devhelm forensics transitions --monitor-id <uuid>List state transitions for a monitor (paginated)

forensics timeline

devhelm forensics timeline 5f4e…
Renders the incident’s state transitions, the rule evaluations that caused each triggering transition, and the active policy snapshot. Use --output json to pipe the full payload into jq.

forensics trace

devhelm forensics trace a1b2c3d4-…
Shows every evaluation and transition emitted for a single checkId. Useful when a webhook or support ticket references a specific execution ID.

forensics snapshot

devhelm forensics snapshot 5a1f9c2e…
Fetches the policy JSON that was active at evaluation time. Hashes are stable — an old transition always resolves back to the exact policy that fired it, even if the monitor has since been edited.

forensics evaluations

devhelm forensics evaluations --monitor-id 5f4e… --only-matched
devhelm forensics evaluations --monitor-id 5f4e… \
  --rule-type consecutive_failures --region us-east \
  --from 2026-04-01T00:00:00Z --to 2026-04-07T00:00:00Z
FlagTypeDescription
--monitor-iduuidRequired. Monitor to query
--rule-typestringFilter by rule type (e.g. consecutive_failures, response_time)
--regionstringFilter by probe region
--only-matchedbooleanReturn only evaluations that fired (outputMatched = true)
--fromISO-8601Lower bound (occurredAt >= from)
--toISO-8601Upper bound (occurredAt < to)
--pageinteger0-based page index (default 0)
--sizeintegerPage size (default 50)

forensics transitions

devhelm forensics transitions --monitor-id 5f4e…
devhelm forensics transitions --monitor-id 5f4e… --from 2026-04-01T00:00:00Z
Same pagination flags as evaluations. Each row includes fromStatus → toStatus, reason, the checkId that caused it, and (when the transition was part of an incident lifecycle) the incidentId.

Output formats

All forensics commands accept --output table|json|yaml (default table). The rendered table is deliberately terse — for the full DTO use --output json and pipe to jq.

Next steps

Incident Forensics

Concepts, retention, and use cases for the forensic model.

Incidents CLI

Pair forensics timeline with incidents get for the full picture.