🧰 Who is this useful for?
A Network Operations Center (NOC) Engineer tired of manually piecing together event timelines.
A Network Engineer or Infrastructure Architect responsible for network stability and writing Post-Incident Reports (PIRs).
An IT Manager looking for ways to improve your team's Mean Time to Resolution (MTTR) and reporting accuracy.
Any network professional who believes there has to be a better way than
grep-ing through thousands of log lines under extreme pressure.
✏️ The Situation: The CISO's Reporting Dilemma
Let's set the scene. It's 2am on a Tuesday. Your phone buzzes with a alert: CRITICAL - Primary WAN Circuit Down. You stumble to your desk, log in, and the chaos begins.
Your immediate challenges are immense and overlapping:
Information Overload: You have four SSH windows open: one for each of the two core BGP routers, one for the primary firewall, and one for a DNS server. Each is spewing a constant stream of data.
Time Pressure: Every second of downtime costs money and reputation. A manager is already asking for updates in a Slack channel, and you've barely had time to run
show ip interface brief.Cognitive Burden: You're trying to hold a mental map of the network topology, remember the sequence of BGP state changes, and correlate a
log-neighbor-changesmessage on Router 1 with a policy drop on the firewall, all while fueled by adrenaline and lukewarm coffee.The Aftermath: You know that even after you fix the problem, you'll have to spend hours the next day painstakingly writing a PIR, justifying your actions, and outlining preventative measures.
This manual, high-stress process is inefficient, extremely fun 😒, and a significant source of burnout.
🤖 The AI Prompt
The transformation begins when we stop seeing this as a manual analysis problem and start seeing it as a data synthesis problem. We can offload the heavy cognitive work of correlation and report generation to an AI, allowing us to focus on verification and action.
Here is the prompt:
Act as an expert Senior Network Engineer with 20 years of experience specializing in root cause analysis for large-scale enterprise networks. Your area of expertise includes BGP, OSPF, and firewall policy troubleshooting.
I will provide you with data related to a recent network incident. This data includes router syslogs, BGP neighbor status outputs, and a brief description of the network topology.
Your task is to analyze all the provided data and generate a detailed Post-Incident Report (PIR).
The PIR must be structured with the following sections:
- **1. Executive Summary:** A one-paragraph, non-technical summary for leadership.
- **2. Detailed Timeline of Events:** A timestamped, chronological sequence of events based on the logs.
- **3. Root Cause Analysis (RCA):** Your technical analysis of what caused the incident, referencing specific log entries or data points.
- **4. Resolution Steps:** The actions taken to resolve the incident.
- **5. Recommendations:** Actionable recommendations to prevent this issue from recurring.
The tone should be professional, technical, and objective.
Here is the data:
**Network Topology Description:**
[BRIEFLY DESCRIBE THE NETWORK, E.G., "Two core routers (R1, R2) connected to two separate ISPs (ISP-A, ISP-B) via BGP. A primary firewall (FW1) sits behind the core routers."]
**Initial Symptoms Reported:**
[DESCRIBE THE PROBLEM, E.G., "At approximately 02:15, monitoring alerted that external connectivity to our public web servers was lost."]
**Router R1 Logs & Output:**
[PASTE LOGS AND 'SHOW' COMMAND OUTPUT FROM ROUTER R1]
**Router R2 Logs & Output:**
[PASTE LOGS AND 'SHOW' COMMAND OUTPUT FROM ROUTER R2]
**Firewall FW1 Logs:**
[PASTE RELEVANT FIREWALL LOGS]⚙️ Prompt Engineering Deep-Dive: The R.C.T.F.T. Framework
This prompt works so well because it follows a structured framework. Let's break it down:
Role:
Act as an expert Senior Network Engineer with 20 years of experience...Why it works: This immediately puts the AI in the correct mindset. It won't give you generic text-based answers; it will access patterns and information related to network protocols, troubleshooting methodologies, and industry best practices. Specifying
BGP, OSPF, and firewall policyfocuses its expertise even further.
Context:
I will provide you with... router syslogs, BGP neighbor status outputs...Why it works: This section sets the stage and tells the AI what kind of data it's about to receive. By providing the network topology, initial symptoms, and labeled logs from specific devices, you are giving it the ground truth. High-quality, organized context is the single most important factor for getting an accurate, high-quality output.
Task:
...analyze all the provided data and generate a detailed Post-Incident Report (PIR).Why it works: The task is specific, actionable, and unambiguous. We aren't asking it to "look at the logs." We are asking it to perform a specific professional duty: generate a PIR.
Format:
The PIR must be structured with the following sections: Executive Summary, Detailed Timeline...Why it works: This is critical for usability. Without a format constraint, the AI might give you a wall of text. By defining the exact headers, you force the output into a clean, professional, and predictable document structure that is immediately useful.
Tone:
The tone should be professional, technical, and objective.Why it works: This ensures the output is ready for a business context. It prevents the AI from being overly conversational or using inappropriate, informal language.
Objectiveis key for incident reports, as it instructs the AI to stick to the facts presented in the logs.
👣 Step-by-Step Implementation
Step 1: Gather Necessary Inputs
Log into your routers and firewalls.
Run your standard diagnostic commands. A good starting point is
show log | i %,show ip bgp summary,show ip route [problem_IP].Copy the output from the terminal. Be sure to grab the logs from the time period immediately before, during, and after the incident.
Step 2: Fill in the Placeholders Strategically
Open a text editor and paste the prompt template.
Write a one-sentence topology description. It doesn't need to be exhaustive.
Paste your raw logs under clear headings like
--- START R1 LOGS ---and--- END R1 LOGS ---. This helps the AI differentiate between data sources.
Step 3: Analyze the Raw AI Output
Paste the entire completed text into your AI tool (like Gemini Advanced or Claude).
The AI will generate the report. Your first job is to verify. The AI is your co-pilot, not the pilot. Read through the timeline it created. Does it match the log timestamps? Read the RCA. Did it correctly identify that
BGP-5-ADJCHANGE: neighbor 198.51.100.1 Down: Peer closed the sessionwas the initiating event?The raw output is your 90% solution. Your expertise is required for the last 10%—to catch any subtle misinterpretations and add crucial business context.
📈 Results Analysis
After adopting this workflow, our team's performance metrics improved drastically.
The Final Product: We had a polished, professional PIR. The timeline was accurate, the RCA was technically sound, and the executive summary was clear enough for the CEO to understand.
Quantified Benefits:
Mean Time to Identify (MTTI): Reduced from an average of 45 minutes to 10 minutes. The AI's ability to see the whole picture at once was the key.
Report Generation Time: Reduced from 2+ hours to under 15 minutes (including human review and polish).
Engineer Satisfaction: A less measurable but critical metric. Engineers felt less burdened by administrative overhead and more empowered to focus on high-value preventative work
🔀 Prompt Variations & Engineering Insights
This core prompt is a template. You can modify it for different scenarios:
Security Incident Analysis: Change the Role to
Expert Security Analyst. Change the Context to include firewall logs, IDS/IPS alerts, and NetFlow data. The Task becomes generating a Security Incident Report.Proactive Config Audit: Change the Task to:
Analyze the following Cisco IOS configuration and identify any deviations from CIS hardening benchmarks, potential single points of failure, or deprecated commands. Provide a table of findings and recommendations.The Context would be ashow runoutput.Executive-Only Summary: If you need a quick update for leadership, shorten the prompt to only ask for the
Executive Summarysection.
💡 Pro-Tip: Few-Shot Prompting
To improve the AI's output for highly specific formats, "teach" it by giving it an example. Before the Here is the data: section, you can add:
To guide you, a good recommendation looks like this: "Recommendation: Implement BGP Bidirectional Forwarding Detection (BFD) with a 300ms interval to decrease convergence time from 180 seconds to less than 1 second."
By providing a concrete example (a "shot"), you show the AI the exact level of detail and style you want, leading to even better and more consistent results.
🧰 Building Your Prompt Toolkit
The real lesson here isn't just about this one prompt. It's about learning the framework to solve your own unique, repetitive problems.
Identify the Toil: What tasks do you do every week that involve analyzing structured text and producing a structured output? Writing change justifications? Summarizing RFCs? Generating firewall rule request forms?
Apply the R.C.T.F.T. Framework: For each task, define the Role, Context, Task, Format, and Tone.
Build a Library: Save these prompts in a personal or team repository (like a Notion page, a Git repo, or even a text file). This creates a powerful toolkit of specialized "AI scripts" that can save hundreds of hours.
🚩 Considerations & Limitations
SECURITY FIRST: NEVER paste sensitive production data into a public AI model. This includes public IP addresses, user information, credentials, or internal server names. Always sanitize and anonymize your logs, or use an enterprise-grade AI platform with a zero-data-retention policy.
AI Can Hallucinate: The AI is a powerful pattern-matcher, but it can be confidently wrong. Always verify its conclusions against the source logs. Treat its output as a well-researched first draft, not as gospel.
Garbage In, Garbage Out: The quality of your AI's analysis is 100% dependent on the quality of the data you provide. Incomplete logs or a poor topology description will lead to a flawed analysis.
🏁 The Takeaway
AI is not here to replace network engineers. It's here to augment them. By mastering the skill of structured prompting, you can offload the tedious, time-consuming parts of your job—data correlation and report generation—freeing you up to focus on what humans do best: critical thinking, strategic design, and high-level problem-solving.
The practical solution is a prompt that automates your PIRs. The transferable skill is learning to talk to AI in a structured way (Role, Context, Task, Format, Tone) to build reliable, specialized tools for any challenge you face.
🧰 AI Tools
Primary Tool: Google Gemini (Advanced)
What it does: A powerful Large Language Model with a large context window.
Why it's useful: Its ability to handle long, complex inputs (like multiple log files) and its strong reasoning capabilities make it ideal for this kind of technical synthesis.
Pricing: A paid subscription is required for the Advanced model with the largest context window.
What it does: Advanced terminal emulators with robust logging and scripting features.
Why it's useful: You can configure these tools to automatically log all session output to a timestamped text file. This makes gathering the "Context" for your prompt as simple as copying the contents of a single file, rather than manually copying from multiple windows.
Specialized Alternative: Splunk Enterprise + Splunk AI Assist
What it does: A full-fledged security and observability platform for collecting and analyzing machine data at scale.
Why it's useful: For large organizations, this is the endgame. Splunk can ingest logs from thousands of devices in real-time. The AI Assist feature uses SPL (Search Processing Language) to allow you to query your data using natural language, making complex correlation much simpler. It's a heavy-duty solution for a heavy-duty environment.
Pricing: Enterprise licensing, typically very expensive.
Free/Budget Option: Claude Sonnet
What it does: A capable LLM with a generous free tier context window.
Why it's useful: Claude is known for its strong performance with long documents and its adherence to instructions. It's an excellent free option for experimenting with this prompt using anonymized data.
Pricing: Offers a powerful free tier, with paid plans for higher usage.
