Auto-attach log evidence to new Linear bug tickets

When a new bug ticket lands in Linear, we search your Elasticsearch logs for matching errors and post the evidence as the first comment.

Agentic Task
LinearElasticsearchEngineeringNotifications & AlertsFeedback Triage
PromptCreate workflow

Build me an agent workflow that automatically enriches new bug tickets in Linear with matching log evidence from Elasticsearch. This is the reactive twin to my existing scheduled spike-detection workflow: that one creates tickets from spikes, this one enriches tickets my team files by hand.

Trigger: a Linear webhook that fires when a new issue is created. The agent should only act when the issue carries a 'bug' label, OR when the words 'bug' or 'error' appear in the title or description. Anything else, exit early without commenting.

When the trigger fires, read the new issue and parse the body for signals it can search on: the error message text, any stack-trace fragments, the customer or tenant ID, the affected environment (prod, staging, etc.), and any time window the reporter mentioned. Hold onto whatever it finds, even partial signals are useful.

Next, run Elasticsearch's Search Documents (Query Index) operation against my engineering log indices, doing a few targeted searches: one for an exact error-message match, one filtered by the customer or tenant ID, one matching stack-trace n-grams, and one bounded by the time window the reporter gave. If no time window was mentioned, default to the last 24 hours. Combine the hits and dedupe by event signature so the evidence block isn't repetitive.

Synthesize a concise evidence block that includes: the matched error message, the total number of occurrences, the first-seen and last-seen timestamps, the services or environments involved, two or three truncated sample stack traces, and a couple of Kibana-style links built from my cluster's base URL so an engineer can jump straight into the logs. Format in Markdown and put the sample stack traces inside a Linear collapsible section ('+++ Sample stack traces' ... '+++') so the comment stays readable.

Post that evidence block back to the ticket using Linear's Add Comment to Issue operation.

If the occurrence count crosses a severe threshold (default: more than 100 hits in the last hour), also call Linear's Update Issue operation to set priority to Urgent (priority value 1). Make this threshold configurable.

If Elasticsearch returns zero hits across all queries, still post a short comment that says no matching logs were found in the window the agent searched, names the window explicitly, and suggests the reporter widen the time range or add more error context. Don't leave the ticket silent.

Let me configure: the Kibana base URL for the link builder, the engineering log index pattern (default to something like 'logs-*'), the severe-threshold count and lookback, and the default time window for searches with no reporter-provided time.

Additional information

What does this prompt do?
  • Watches Linear for new bug tickets and pulls the symptoms, error strings, customer or environment, and any time window from the report.
  • Searches your engineering log indices in Elasticsearch for correlated events across the error message, customer or tenant, stack trace, and time window.
  • Posts the first comment on the ticket with hit counts, first and last seen timestamps, affected services, sample stack traces, and one-click links into your log dashboard.
  • Bumps priority to Urgent when matching errors are spiking, or leaves a friendly note suggesting a wider time range when nothing matches yet.
What do I need to use this?
  • A Linear workspace you can connect with read and comment access.
  • An Elasticsearch cluster reachable from the internet with a read-only API key.
  • The base URL of your log dashboard if you want clickable links in the evidence block.
How can I customize it?
  • Change which tickets count as a bug. The default is the 'bug' label, plus the words 'bug' or 'error' in the title or description.
  • Adjust the default time window the agent searches when the reporter doesn't mention one. The default is the last 24 hours.
  • Set your own severity threshold for when the agent should automatically bump priority to Urgent, or turn that auto-bump off entirely.

Frequently asked questions

Does this work if the reporter didn't include exact error text?
Yes. The agent pulls symptoms, customer or tenant IDs, environment names, and timestamps out of the ticket and runs several targeted searches. If nothing matches, it posts a short note asking the reporter to widen the time range, so the ticket isn't left silent.
Will it touch tickets that aren't bugs?
No. It only runs when the ticket has the 'bug' label, or when the words 'bug' or 'error' show up in the title or description. Feature requests and design tickets are left alone.
Can it raise priority on its own?
Yes. If the matching errors cross a threshold you set, the agent updates the ticket to Urgent so on-call sees it. You can disable this if you'd rather review priority by hand.
What if Elasticsearch returns no results?
The agent posts a short comment saying no matches were found in the window it searched, names the window, and suggests widening the time range. The ticket always gets a response.
Will it spam comments if the ticket gets edited?
No. The agent runs once when the issue is created, not on later edits. Each ticket gets exactly one evidence comment.

Stop hand-crafting log queries for every bug ticket.

Connect Linear and Elasticsearch once, and Geni attaches matching log evidence to every new bug ticket the moment it's filed.

Explore more promptsCreate workflow