Using Now Assist to identify major incident root cause based off change request activity
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Our business objective is to automatically identify potential root causes for a major incident by analyzing historical change activity across related configuration items.
When a major incident occurs, we start with the CI on the incident record and retrieve all upstream and downstream related CIs from cmdb_rel_ci using a custom SubFlow that includes a GlideAggregate script to return a distinct set of parent/child CIs. For each of those CIs, the SubFlow then queries the change_request table for all changes within a specified time window.
We’ve implemented this logic as a custom Now Assist Skill that exposes the SubFlow as a Tool, with the intention that the LLM will evaluate the resulting change activity and determine the top five changes most likely to have contributed to the major incident.
Our challenge is how to structure the SubFlow’s output so the LLM can effectively consume it.
Our initial approach was to output a comma‑separated list of change numbers and use a Retriever tool based on that list, but the RAG component was unable to return the full details for all referenced change requests.
We are now considering several alternatives:
- Returning an array of structured change‑request objects directly from the SubFlow, so the LLM receives the complete dataset as part of the tool response.
- Performing the change‑related queries directly within the LLM prompt, instead of relying on a separate tool to supply the data.
- Splitting responsibilities across multiple AI Agents, with one agent handling data retrieval and another performing causal analysis.
We are looking for guidance or best practices from anyone who has solved similar challenges with Now Assist tools and LLM-ready data structures.
