This skill helps investigate data incidents — freshness delays, volume anomalies, schema changes, field metric drift, and ETL failures — by guiding the agent through a systematic investigation using Monte Carlo's MCP tools. It combines observability metadata with optional direct data querying to find the root cause.
Monte Carlo tool routing (required): Always call Monte Carlo MCP tools through this plugin's bundled server, whose fully-qualified tool names are
mcp__plugin_mc-agent-toolkit_monte-carlo-mcp__<tool>(e.g.mcp__plugin_mc-agent-toolkit_monte-carlo-mcp__get_alerts). Bare tool names used in this skill (get_alerts,search,get_table, …) refer to that bundled server. If the session also has a separately-configuredmonte-carlo-mcpserver, do not route to it — it may point at a different endpoint or credentials.
Reference files live next to this skill file. Use the Read tool (not MCP resources) to access them:
references/<type>-investigation.md
references/data-exploration.md
references/intake-no-incident.md
references/common-root-causes.md
Activate when the user:
Do not activate when the user is:
Required: Monte Carlo MCP server (integrations.getmontecarlo.com/mcp) must be configured and authenticated.
Optional but recommended:
| Tool | Purpose |
|---|---|
get_alerts |
Fetch incident/alert details |
search |
Find tables by name or keyword |
get_table |
Table metadata and fields |
get_asset_lineage |
Table-level upstream/downstream lineage |
get_field_lineage |
Field-level lineage (trace bad data to source column) |
get_table_freshness |
Table update/freshness history |
get_table_size_history |
Row count and size history |
get_queries_for_table |
Read/write query history |
get_query_changes |
Detect SQL text modifications |
get_query_rca |
Root cause analysis for failed/futile/missed queries |
get_etl_issues |
ETL pipeline issues — pass platform ("airflow", "dbt", or "databricks") |
get_etl_jobs |
Find ETL jobs that write to specific tables — pass platform param |
get_github_prs |
Recent GitHub PRs from the account's MC GitHub integration |
get_jobs_performance |
Job runtime stats, failure rates, 7-day trends |
get_change_timeline |
Unified timeline: query changes + volume + ETL failures |
get_current_time |
Current timestamp for relative time ranges |
alert_assessment |
Optional ~2-min triage of an incident — returns HIGH/MEDIUM/LOW confidence and impact. Useful when you want a quick read before deciding to escalate to TSA. |
run_troubleshooting_agent |
Starts the Troubleshooting Agent (TSA) on an incident. Async by default; idempotent (returns existing results unless force_rerun=True). Auto-invoked at Step 1.5 when an incident UUID is present. |
get_troubleshooting_agent_results |
Polls TSA results for an incident (status is not_found / running / success / failed). Use to check on the async run started at Step 1.5. |
Credits:
alert_assessmentandrun_troubleshooting_agentconsume Monte Carlo credits the same way the Troubleshooting Agent does when launched from the Monte Carlo UI. Each freshrun_troubleshooting_agentcall is a billable run; reuse via the built-in idempotency (don't passforce_rerun=Trueunless the user explicitly asks for a fresh analysis).
| Tool | Purpose |
|---|---|
| Database MCP (Snowflake, BigQuery, etc.) | Run SQL queries for data profiling |
| GitHub MCP | Search for recent PRs (alternative to MC's get_github_prs — useful if the account has no MC GitHub integration) |
If the user provides an alert or incident ID:
get_alerts with the alert ID to fetch details.If the user describes a problem WITHOUT an incident ID:
Read references/intake-no-incident.md for the full intake flow. In short:
search(query="table_name")
get_alerts with a recent time rangeget_table_freshness, get_table_size_history
When intake produces a Monte Carlo incident UUID, kick off the Troubleshooting Agent (TSA) before continuing to Step 2. TSA runs the same root-cause analysis the Monte Carlo UI uses; running it here in parallel with the manual investigation usually beats running either path alone.
Skip TSA when any of these is true:
run_troubleshooting_agent requires a UUID. The no-incident intake path (references/intake-no-incident.md) does not feed TSA. If that path later identifies a matching alert, return to Step 1 with the alert's incident UUID — Step 1.5 then applies normally.analytics.orders stale right now?", "what's the row count of X?", "show me the schema of Y", "did this query run today?". Answer the question with the relevant tool and stop. TSA is overkill for these.Default invocation (async, parallel):
run_troubleshooting_agent(incident_id="<uuid>", async_mode=True)
force_rerun=True unless the user explicitly asks for a fresh analysis (each fresh run is a billable Monte Carlo credit consumption).success on the first call, you have results — fold them straight into Step 7's synthesis and continue Steps 2–6 to corroborate.queued or running, continue to Step 2 immediately. TSA typically completes in 4–8 minutes; you'll poll for results via get_troubleshooting_agent_results later in the flow (see Step 4 and Step 7).failed, note the error and continue with the manual investigation only — do not re-run automatically.Tell the user what you started: "I've kicked off the Troubleshooting Agent on this incident — it usually finishes in 4–8 minutes. While it runs, I'll continue investigating manually so we have findings either way."
TSA in parallel: if you started TSA at Step 1.5, it is running in the background while you do this step. Do not block on it.
get_asset_lineage(mcons=[table_mcon], direction="UPSTREAM") — what feeds this table?get_asset_lineage(mcons=[table_mcon], direction="DOWNSTREAM") — what does this table feed?get_field_lineage to trace which upstream fields feed the affected columns.Report to the user: "This table is fed by X upstream sources and feeds Y downstream consumers. Here's what could be impacted."
Ask for direction: Before diving deeper, ask the user what they'd like to investigate first. They may already have a hunch ("I think it's the Airflow job" or "check if someone changed the SQL"). Follow their lead — don't run all investigation paths blindly. If they have no preference, proceed with the most likely path based on the issue type.
Read the appropriate reference file and follow its investigation playbook:
| Issue Type | Reference |
|---|---|
| Table not updating on schedule | references/freshness-investigation.md |
| Unexpected row count changes | references/volume-investigation.md |
| Columns added, removed, or type-changed | references/schema-investigation.md |
| Airflow/dbt/Databricks pipeline failures | references/etl-failure-investigation.md |
| SQL modifications causing data changes | references/query-change-investigation.md |
| Field-level metric drift (null rate, mean, etc.) | references/field-anomaly-investigation.md |
Data issues often originate upstream. Walk the lineage chain:
get_table_freshness — is the upstream table also stale?get_table_size_history — did the upstream table's volume change?get_etl_issues with the relevant platform
get_field_lineage to trace the specific field that has bad data back to its source.TSA poll #1. If you started TSA at Step 1.5 and it has not yet returned success, call get_troubleshooting_agent_results(incident_id=...) once here (~30s after Step 1.5). If status is success, hold the result for Step 7. If still running, keep going — you'll poll again before Step 7. Don't block on it.
If the user has a database MCP server connected (Snowflake, BigQuery, Redshift, Databricks, etc.), read references/data-exploration.md for SQL investigation patterns including:
If no database MCP is available: Tell the user: "I can't query the warehouse directly — for deeper data investigation, connect a database MCP server. I can still analyze using Monte Carlo's metadata and the tools available." Continue the investigation with MC tools only.
Call get_github_prs with a time range around when the issue started to find recent PRs from the account's Monte Carlo GitHub integration. Look for PRs that modified dbt models, SQL files, or pipeline configs affecting the impacted table.
If the account has no GitHub integration (tool returns empty), or the user has a local GitHub MCP server they prefer, use that instead.
Also call get_query_changes with the affected table MCONs to detect SQL text modifications, and get_change_timeline for a unified view of all changes (query modifications + volume shifts + ETL failures) in one call.
TSA poll #2. If you started TSA at Step 1.5 and don't yet have results, call get_troubleshooting_agent_results(incident_id=...) one more time (~60–90s after poll #1). Stop on success or failed; if still running after this poll, present the manual findings now and tell the user TSA is still working ("TSA is still running on this incident — I'll fold its findings in once it completes if you'd like, or you can ask me to check back in a minute").
Read references/common-root-causes.md to match findings against known patterns. Present:
Merging TSA findings:
get_table_freshness on that table is healthy"). Ask the user which thread they want to pull on.get_change_timeline for this.run_troubleshooting_agent requires one. If intake is on the no-incident path, skip TSA entirely until/unless an alert is identified.run_troubleshooting_agent or alert_assessment — proceed with the manual investigation only.