Intent-Driven Alert Generation for Network Operations Using Large Language Models

Alert generation in network operations is traditionally reactive — engineers create monitoring alerts after experiencing incidents, leaving systematic gaps in coverage. This paper proposes a proactive, intent-driven pipeline where the Network Intent Model (a declarative schema capturing network topology, protocols, and hardware platforms) is used as structured input to large language models (LLMs) to automatically generate comprehensive alert catalogs. The pipeline operates across three layers: design-aware alerts derived from network topology and tier structure, platform-aware alerts derived from vendor hardware and OS versions (demonstrated on Cisco Nexus 9300 running NX-OS 9.3.x), and protocol-aware alerts derived from running protocols including VXLAN, eBGP, and EVPN. A threshold selection framework addresses the critical problem of choosing numeric alert thresholds, progressing from manufacturer baselines through statistical baselining (3-sigma rule and percentile methods) to incident-driven calibration. Alert coverage analysis measures completeness by mapping generated alerts back to intent model elements, surfacing blind spots before they cause incidents. This paper is the second in a series on self-healing network operations. Related works: Ghosh (2026), A Declarative Network Intent Schema (https://doi.org/10.5281/zenodo.20552531) and Ghosh (2026), Network Health Score Framework (https://doi.org/10.5281/zenodo.20552168).