DEVOPS
Attribute a Datadog cost spike to its owning service and PR, alert in Slack
When Datadog flags a cloud-cost anomaly, this workflow identifies the service tag driving the spend, finds the most recent merged PR that touched that service.
How it runs
The automated pipeline, trigger to output.
- TriggerDatadog cost-anomaly monitor webhookDatadog
- LogicParse offending tag and spike start time
- LogicDrop if dollar delta below threshold
- ActionFind merged PRs touching that service before the spikeGitHub
- LogicRank suspects by merge-time proximity
- OutputPost attributed alert to on-call Slack channelSlack
What it does
Turns a raw cost-anomaly alert into an actionable attribution. It reads the anomaly's offending dimension (usually a `service` or `team` tag), correlates the spend jump to a deploy window, finds the merged GitHub PR that shipped just before the spike, and posts a single Slack message naming the service, the dollar delta, and the suspect PR with author.
When to use it
Use it when your team gets paged for AWS/cloud cost anomalies but spends 20 minutes manually cross-referencing which deploy caused them. Best for teams that tag infra by service and merge frequently.
How it works
- 1Datadog fires a cost-anomaly monitor webhook into the workflow.
- 2The flow parses the alerting tag and the anomaly's start timestamp from the payload.
- 3A logic step checks whether the delta clears a dollar threshold; small blips are dropped.
- 4It queries GitHub for PRs merged into the default branch in the hours before the spike that touched paths owned by that service.
- 5It ranks candidates by merge-time proximity to the spike onset.
- 6A Slack message lands in the on-call channel with the service, cost delta, and the top suspect PR plus author handle.
Set it up
What you configure once, before turning it on.
- 1Connect DatadogMetrics, traces, log search.
- 2Connect GitHubRepos, issues, pull requests, actions.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.