Check out anomaly detection in Detective.Try it now

RocketGraph

Billions of logs, one tiny snapshot

Find the one log that broke your production with full Root Cause Analysis from billions of noisy logs.

Start for freeSign in

Detective

Demo
Source:
Total logs1,000,000
Clusters62
Anomalies2
SnapshotMay 11, 10:40
HealthCritical

Log Cluster Map

NormalAnomaly
Vector Distance

Cluster logs

Logs

1

Score

0.39

Service: unknown

Latest logs

info

DDL executed: DROP TABLE orders, database=prod-orders-db, user=deploy-bot@internal, rows_affected=1916750, initiated_by=deploy-script

AI Analysis

Claude / GPT-4ocached
System Health

Critical

Wake On-Call

Yes

Production orders database (prod-orders-db) had 1,916,750 rows deleted via DDL DROP TABLE executed by deploy-bot β€” likely catastrophic data loss

Summary

A catastrophic DDL event has been detected: `DROP TABLE orders` was executed on prod-orders-db by deploy-bot@internal, destroying approximately 1.9 million rows. This is corroborated by an anomalously low order confirmation rate (only 2 events vs. ~78K normal). S3 backups are confirmed present β€” immediate on-call response is required to halt the deploy-bot, assess the damage, and restore from backup.

Flagged Clusters (2)

Criticalcluster 1Β· clickhouse / prod-orders-db

A DDL 'DROP TABLE orders' statement was executed against prod-orders-db by deploy-bot@internal via a deploy-script, affecting 1,916,750 rows. This appears to be an unintended or malicious table drop/truncation on the production orders database. Given the volume (nearly 2M rows), this likely represents complete or near-complete destruction of the live orders table. Immediate incident response is required: halt deploy-bot, verify backups (cluster 31 shows backups exist in S3), and initiate restore procedure.

Highcluster 0Β· clickhouse / order-service

Only 2 CONFIRMED order status transitions were logged β€” anomalously low compared to the 78,386 status transitions in cluster 13. This sharp drop in order confirmations is consistent with the orders table having been deleted (cluster 1), as new writes/reads would fail or return empty after the DDL event.

Recommended Actions

1.

IMMEDIATELY revoke deploy-bot@internal credentials and halt all deploy-script executions to prevent further destructive DDL operations

2.

Identify the most recent successful backup from S3 (cluster 31 confirms backups to s3://backups/) and initiate point-in-time restore of prod-orders-db

3.

Audit deploy-script source code and CI/CD pipeline to determine how a DROP TABLE DDL targeting prod was triggered β€” check for environment misconfiguration or compromised credentials

4.

Verify application health: query prod-orders-db to assess actual table state (dropped vs truncated vs partially deleted) before restore to choose the correct recovery path

5.

After restore, add DDL guardrails to prod-orders-db: revoke DROP/DELETE TABLE privileges from deploy-bot, require manual approval for destructive DDL via change management

model: claude-sonnet-4-6Β·40 clustersΒ·2 flaggedΒ·source: clickhouseΒ· from cache

Supports 100+ telemetry datasources

Datadog
Loki
Sentry
New Relic
CloudWatch
ClickHouse
Slack
Railway
Datadog
Loki
Sentry
New Relic
CloudWatch
ClickHouse
Slack
Railway
Datadog
Loki
Sentry
New Relic
CloudWatch
ClickHouse
Slack
Railway
Get started

Full observability in one line

No agents to deploy, no config to write. Run a single command and your whole app is instrumented.

# rocketgraph-alerts
BIS
</>
Message the channel

Don’t just collect logs. Understand them.

Rocketgraph learns from your telemetry patterns and alerts you when something goes wrong β€” across billions of events, in real time.

Learn more
Omni Icon

Say hello to Mission control

We use ML to condense billions of logs into small snapshots, so your LLMs can root cause from these snapshots instead of blowing up tokens.

Learn more
Enterprise Icon

The power of AI observability with the industrial-grade platform your business demands

Scalable infrastructure

  • CheckmarkClickHouse DB with record limits in the hundreds of millions
  • CheckmarkScale workflows to tens of thousands of users
  • CheckmarkUse self-hosted telemetry supporting complex ingestions (journald, kubernetes, bare metal, Datadog, Loki, and more)

Flexible administration

  • CheckmarkAdmin roles, robust permissions, fine-grained RBAC
  • CheckmarkFine-grained controls to enable AI
  • CheckmarkOn-prem deployments and per-service isolation

Security and compliance

  • CheckmarkISO, HIPAA, SOC 2
  • CheckmarkNo customer data retained or used to train AI models
  • CheckmarkPipelines run fully in customer’s VPC
  • CheckmarkData loss prevention, audit logs
  • CheckmarkEuropean and Australian data residency support

Simple pricing

Start free. No credit card. No YAML.

Free Trial

Try it out

$0/ 7 days

Full access for 7 days, no card required.

  • All Pro features included
  • Up to 50M logs
  • Slack bot
  • Auto-provisioned stack
  • No credit card needed
Most Popular

Pro

For growing teams

$50/ month

Everything you need to stop looking at logs.

  • Up to 50M logs/month
  • Slack conversational AI
  • Self-healing PR generation
  • Full observability stack
  • Webhook integrations
  • 30-day retention
  • Priority support

Enterprise

Large-scale deployments

Custom

On-prem, SLAs, and dedicated support.

  • Unlimited logs/month
  • Everything in Pro
  • Bring your own cloud
  • ML anomaly detection
  • Custom data retention
  • SSO & SAML
  • Dedicated Slack support
  • SLA guarantee
  • On-prem deployments

Stop firefighting, start building

Fast-moving teams use Rocketgraph every day. Join them.

Get started for freeSign in