How to investigate an incident with metrics, logs, and distributed traces

Opening more dashboards does not guarantee progress. This is an operational sequence for confirming impact, scoping the affected population, correlating metrics, traces, and logs, formulating falsifiable hypotheses, and proving that recovery is real.

An alert reports that latency has increased. The service is still accepting traffic. The team opens five dashboards, searches for ERROR across several log indexes, and proposes restarting two components. No one has yet defined which operation, version, region, or dependency is affected.

This pattern is common because activity is easy to confuse with progress during an incident. Each engineer finds a different signal, every chart appears relevant, and every change seems capable of restoring the service. The risk is that the team changes several variables at once, destroys evidence, and temporarily reduces the symptom without understanding what produced it.

Effective investigation follows a different logic: metrics show the impact and delimit the affected population; traces identify where time is consumed or an error appears; logs provide event-level context; and diagnosis emerges when those signals are organized into a hypothesis that can be tested or disproved. OpenTelemetry defines metrics, traces, and logs as distinct signals, while context propagation makes it possible to correlate them across processes and services.

This article develops an operational method in seven movements:

  1. Confirm the impact.
  2. Scope the incident.
  3. Build a timeline.
  4. Correlate metrics, traces, and logs.
  5. Formulate a testable hypothesis.
  6. Mitigate and verify recovery.
  7. Convert the findings into concrete improvements.

This is not a guide to observability tools. It is a sequence for making decisions under pressure.

Before investigating: protect the operation

The immediate objective of incident response is not to produce a perfect explanation. It is to limit damage safely.

The order of priorities depends on the system, but it should usually consider:

  1. Safety of people and assets.
  2. Data integrity and confidentiality.
  3. Actual impact on users and critical processes.
  4. Containment of the failure.
  5. Operational communication.
  6. Preservation of enough evidence to continue diagnosis.

Google SRE distinguishes incident management from technical investigation: an explicit response structure coordinates actions, communication, and recovery without turning every participant into an investigator at the same time.

The operational decision can be summarized as follows:

When a low-risk, reversible mitigation can reduce severe impact, the team does not need to wait for a complete root-cause analysis before applying it.

The inverse, however, is not valid:

A mitigation that reduces impact does not prove that the root cause has been identified.

A restart can release memory, drain or recreate queues, rebuild connections, or remove a transient lock condition. The service may improve while the causal mechanism remains intact. If the team records “the restart solved the incident” as the root cause, it converts a temporal observation into an unproven explanation.

Initial decision: investigate, mitigate, or do both

ConditionDominant decisionPrecaution
High and growing impactMitigate firstChoose reversible actions and record every change
Risk of data corruptionContain writes or isolate the flowDo not prioritize availability over integrity without an explicit decision
Limited and stable impactInvestigate before changingPreserve a representative sample of the failure
Fragile or volatile evidenceCapture the minimum necessary evidenceDo not delay a critical mitigation indefinitely to collect more data
High-risk mitigationValidate the hypothesis and blast radiusPrepare rollback and abort criteria
Operational priority before deep diagnosis Decision flow that starts with an alert, confirms impact, evaluates risk, applies a reversible mitigation, and continues toward a testable hypothesis. Alert or report Confirmed impact? No: validate signal and population Critical risk or growing damage? decide contain or preserve Contain if damage grows; otherwise preserve evidence Continue investigation Testable hypothesis Controlled test or mitigation Verify recovery
Operational priority before deep diagnosis. Mitigation and investigation are not mutually exclusive phases. Risk determines the sequence: when damage is growing, contain it; when the system remains observable, preserve evidence before changing it.

Step 1: detect and confirm impact

An alert is not yet a confirmed incident. It is an automated claim about an observed condition. It may represent real impact, an internal degradation with no user-visible effect, delayed telemetry, a poorly calibrated threshold, or a population that is irrelevant to the service objective.

The first obligation is to convert the alert into an operational description:

Start with Rate, Errors, and Duration

For request-oriented services, RED organizes initial triage around three signals:

RED is an effective entry point, not a complete diagnosis. It must be complemented with saturation, queues, pools, and dependencies. Google SRE summarizes the minimum coverage for a user-facing system as latency, traffic, errors, and saturation.

Do not mix availability, success, and latency

During an incident, these dimensions must be recorded separately:

DimensionQuestion it answersCommon misinterpretation
AvailabilityCan the service perform the operation according to the defined SLI?Assuming that accepting TCP connections or returning HTTP means the operation is available
SuccessDid the operation produce the expected technical and functional result?Counting every HTTP 200 response as success even when the business transaction was rejected
LatencyHow long did the measured population take?Excluding timeouts or failures and showing only fast requests that completed
PercentileWhat threshold was not exceeded by a given proportion of observations?Interpreting P99 as an average or as “the slowest 99 percent”

The exact meaning depends on the SLI. An operation can be technically available and functionally degraded. It can also maintain an acceptable success rate while a queue grows and prepares the next failure.

The distribution matters because an average can hide a slow tail. Google SRE recommends observing percentiles to distinguish which fraction of requests is degraded instead of relying only on the mean. Detailed calculation and interpretation of latency percentiles belong in the specialized article.

Confirm from more than one perspective

A single source can mislead because of instrumentation errors, delay, or scope. Confirmation should combine, when available:

The question is not “Is the dashboard red?” It is:

What system or user behavior proves that degradation exists, and which population is experiencing it?

Step 2: define the scope

“The platform is slow” is not an investigable scope.

A useful description looks like this:

Since 22:14 UTC, create-order in region south-1, version 2026.07.12-3, has shown a P99 of 2.4 seconds for payloads larger than 250 KB; other operations and the previous version remain at baseline.

Scoping reduces the number of possible components, queries, and changes. Segment by dimensions that can actually alter behavior:

Cardinality must be designed before the incident

Not every dimension should become a metric label. User, order, or trace identifiers create extreme cardinality and generally belong in logs or traces, not in time-series dimensions. Metric dimensions must enable segmentation without making the telemetry backend operationally unviable.

OpenTelemetry uses resource attributes and conventions such as service.name, service.namespace, and deployment.environment.name to describe telemetry origin consistently. This consistency allows responders to compare signals without translating different naming systems during a crisis.

Scoping technique: split the population

For each scope hypothesis, compare two groups:

Comparison is more useful than observing an isolated group because it reveals which dimension explains the difference.

Progressive reduction of the search space Diagram that narrows apparently global impact to a specific population through operation, region, version, payload, and dependency. Apparently global impact too many components Operation Region or zone Version Payload type Dependency Specific affected population healthy versus degraded
Progressive reduction of the search space. The objective is not to inspect the entire platform, but to find the smallest combination of dimensions that separates healthy behavior from degraded behavior.

Step 3: build a timeline

The timeline is not an administrative document to complete afterward. It is a diagnostic tool during the incident.

It should record four types of information:

  1. Observed events: alerts, metric changes, errors, and saturation.
  2. System changes: deployments, configuration updates, credential rotations, and dependency failures.
  3. Decisions: what was decided and based on which evidence.
  4. Results: what changed after each action.
Time UTCEventEvidenceDecision or result
22:14create-order P99 exceeds 2 sHTTP histogram, region south-1Incident opened
22:17pool.pending_requests increasesPool metricScope by version and node
22:21Retry surge confirmed (4.4/s to 88/s), started around 22:13Attempt counterAmplification hypothesis
22:26Internal concurrency is limitedReversible changeWait time begins to fall
22:31P99 returns to 720 msMetrics and tracesContinue observation

Which time should be recorded

Whenever possible, use a single time zone, preferably UTC, and preserve the original timestamp from the source. In distributed logs, the time at which an event occurred can differ from the time at which the collector observed it. The OpenTelemetry log data model separates Timestamp from ObservedTimestamp precisely to represent both.

Temporal order prioritizes; it does not prove

If retries increase before pool wait time, that sequence makes retries a candidate cause. It does not prove causality. Both changes may depend on a third factor, such as external latency or a concurrency change.

The timeline helps answer:

Candidate causal timeline Timeline showing increased concurrency, retries, connection-pool waiting, latency, and recovery after mitigation. Deployment effective concurrency increases 22:10 Retries additional attempts increase 22:13 Pool connection wait increases 22:14 Mitigation concurrency and retry are limited 22:26 Pool waiters decrease 22:28 Latency P99 returns to baseline 22:31
Candidate causal timeline. Temporal order helps construct a hypothesis, but it must be tested against traces, logs, and a controlled change.

Step 4: use metrics to locate the symptom

Metrics describe complete populations and changes over time. They are the appropriate signal for confirming magnitude, trend, distribution, and saturation.

Investigation should move from the user-visible symptom toward the resources that could explain it.

First layer: service experience

Review by operation and affected population:

Separating logical requests from technical attempts is critical. If 220 requests per second generate 88 additional retries, user traffic remains 220 requests/s, but the system executes 308 attempts/s. Mixing those numbers hides amplification.

Second layer: saturation and waiting

Review:

Saturation does not require CPU or memory to reach 100 percent. A connection pool, semaphore, partition, lock, or external quota can become the scarce resource while the host appears healthy.

OpenTelemetry defines database-pool metrics such as connections by state, pending requests, timeouts, and wait time. As of July 12, 2026, several of these conventions are marked Development, so the names and support available must be validated in the SDK or library actually used.

Third layer: dependencies and resilience mechanisms

Review:

Resilience mechanisms also create load. A retry is not a free abstraction: it is another execution that consumes time, connections, threads, and dependency quota. The design of correctly configured timeouts and the prevention of retry storms belong in the specialized article.

Primary question: what changed first, and in which population?

A useful sequence may look like this:

  1. P99 increases for only one operation.
  2. Logical traffic remains stable.
  3. Technical attempts increase.
  4. Pending pool requests grow.
  5. Query duration remains stable.

This combination lowers the probability that the database is executing slower queries. It moves the investigation toward pre-query waiting and the mechanism that multiplied attempts.

Do not use an average to close the incident

An average can return to baseline while a residual queue keeps a fraction of requests degraded. Histograms and percentiles expose the distribution, but their interpretation depends on buckets, window, and population. Prometheus documents that histograms and summaries record count and sum, from which an average can be derived; that average does not replace the distribution.

For a deeper treatment of end-to-end allocation and latency distributions, see the latency budget guide.

Step 5: use traces to locate the degraded path

Metrics show that an anomalous population exists. Traces allow the team to inspect individual executions from that population and see how time is distributed across services and operations.

A trace should not be selected at random. It should match the scope already established:

Compare three trace types

Select, when available:

  1. Healthy trace: same operation and comparable conditions outside the incident.
  2. Slow trace: completes, but exceeds the threshold.
  3. Failed trace: ends in an error or timeout.

Compare:

The longest span is not always the cause

A span may be long because it is waiting for a resource that is already saturated. Duration locates where time manifests, but the cause may be earlier:

The trace reduces the search space. It does not replace a hypothesis.

Propagate context without breaking the trace

W3C Trace Context standardizes the traceparent and tracestate headers. A compatible implementation must at least propagate them to preserve trace continuity across components.

This context allows a trace_id to represent the complete request path and each span_id to identify a specific operation within it. OpenTelemetry uses context propagation as the common mechanism for correlating signals across processes and networks.

Sampling can hide exactly the cases being investigated

With probabilistic head sampling, a slow or failed trace may never be retained. OpenTelemetry notes that head sampling makes a decision without seeing the complete trace and therefore cannot guarantee retention of every error. Tail sampling can decide based on latency, error, attributes, or version, at the cost of more state, complexity, and operational expense.

Before concluding that “there are no slow traces,” validate:

Operational correlation of metrics, traces, and logs Circular flow in which metrics delimit the population, traces locate the degraded path, logs provide context, a hypothesis is formed, and recovery is verified with metrics. Metrics which population changed Traces where the path degrades Logs which event and state occurred Testable hypothesis Test or mitigation verification returns to metrics
Operational correlation of metrics, traces, and logs. Signals are used in sequence to reduce the search space. Verification returns to metrics to confirm the effect on the complete population.

Step 6: correlate logs without searching blindly

Searching for ERROR across the entire platform usually produces a large amount of noise and little evidence. Logs become more useful after the investigation has an operation, time window, version, dependency, and trace ID.

Minimum fields for an operational log

A useful event should include, when applicable:

OpenTelemetry includes Timestamp, ObservedTimestamp, TraceId, SpanId, severity, resource, and attributes in its stable log data model. It also defines correlation by time, execution context, and source resource.

Example:

JSON
{
  "timestamp": "2026-07-12T22:14:08.417Z",
  "observed_timestamp": "2026-07-12T22:14:08.463Z",
  "severity": "WARN",
  "service": "orders-api",
  "service_version": "2026.07.12-3",
  "region": "south-1",
  "trace_id": "4e8f9b87d1354f4f9c9770c7cb8a66d2",
  "span_id": "63a3a6f34dcf1e80",
  "operation": "create-order",
  "dependency": "inventory-db",
  "attempt": 2,
  "pool_wait_ms": 1842,
  "outcome": "timeout",
  "error_code": "POOL_WAIT_TIMEOUT"
}

The example is illustrative. Field names must align with the platform telemetry model and with the conventions supported by the actual instrumentation.

Recommended search order

  1. Find the trace_id from a slow or failed trace.
  2. Filter by the span window and relevant service.
  3. Review events for the specific span using span_id.
  4. Expand to other instances only when evidence requires it.
  5. Group by stable codes rather than free-form message text.

What to avoid

An error may appear in a metric or span without producing a log because of sampling, log level, ingestion loss, or missing instrumentation. Absence of evidence in one signal is not evidence of absence in the system.

Step 7: formulate a testable hypothesis

Investigation advances when the team stops listing possibilities and makes a statement that can be disproved.

Recommended structure:

We believe X causes Y because we observe Z. If the hypothesis is correct, executing W should produce Q. We will reject it if R occurs.

Example:

We believe retries are exhausting the connection pool because additional attempts rise before pending_requests, traces spend time before the query span, and logs show POOL_WAIT_TIMEOUT. If we limit retries and internal concurrency, wait time should fall before query duration changes. We will reject the hypothesis if waiters remain high at the same total traffic or if the query independently becomes slower.

A useful hypothesis contains a prediction

ComponentExample
Candidate mechanismRetries increase demand on a limited pool
Explained symptomHigh P99 and timeouts before the query executes
Current evidenceAttempts, waiters, and logs rise in that order
TestLimit retries and concurrency for a controlled fraction
Predictionpool_wait_time falls with no change in db.operation.duration
Refuting evidenceWait time does not change, or the latency is inside the query

Do not use a label as an explanation

Statements such as “network issue,” “slow database,” “Kubernetes,” “GC,” or “saturation” describe categories. They do not explain the mechanism.

A hypothesis must specify:

Testable-hypothesis cycle Cycle of evidence, hypothesis, prediction, test, and decision used to support or reject an incident explanation. Observed evidence Causal hypothesis Measurable prediction Controlled test or change Did the prediction occur? Yes: gains support · No: reformulate Hypothesis gains support No: reject · new evidence
Testable-hypothesis cycle. A hypothesis is not validated by consensus. It must produce an observable prediction and survive a controlled test.

Step 8: separate evidence, hypothesis, decision, and result

Statements quickly become mixed in an incident room:

Without classification, a repeated assumption can become accepted as fact.

Use an explicit table:

TypeExample
EvidenceP99 rose from 600 ms to 2.4 s for create-order
Evidencepending_requests rose from 0–3 to 65
HypothesisRetries amplified demand and exhausted the pool
DecisionLimit concurrency and disable retries on acquisition timeout
ResultWait time returned to baseline and P99 fell to 720 ms
PendingProve which change increased effective concurrency
Separation of facts and decisions Flow separating evidence, hypothesis, decision, observed result, and confirmation of technical cause. Evidence Hypothesis Decision Observed result Does it explain and reproduce? No: back to evidence Technical cause and factors Doesn't explain: reformulate
Separation of facts and decisions. A mitigation result adds evidence, but it still has to be connected to the causal mechanism and the factors that allowed the incident to occur.

Step 9: apply a mitigation

A mitigation aims to reduce impact. Evaluate it by risk, reversibility, speed, integrity, and blast radius.

Options and trade-offs

MitigationWhen it may helpPrimary riskValidation signal
RollbackA recent change is a candidate and the previous version remains compatibleReversion may reintroduce another defect or an incompatible migrationClear version difference and recovery after rollback
Feature flagThe degraded path can be isolatedPartial state or inconsistent user experienceErrors or latency fall only in the affected population
Concurrency limitSaturation is caused by simultaneous workLower throughput and growth of an external queueWait time falls without unacceptable success loss
Load sheddingCapacity is insufficient and the core must be protectedExplicit rejection of a traffic fractionStable system, bounded latency, controlled rejections
Reduce retriesAttempts amplify loadLower probability of recovery from genuinely transient failuresTotal attempts, waiters, and timeouts fall
Increase capacityThe dependency has verified headroomMoving saturation to another resource or amplifying damageProportional improvement without degrading the dependency
Controlled degradationA partial response is acceptableTemporary loss of functionalityDegraded-mode SLO and predictable experience
RestartKnown corrupt state or leak, with evidence already preservedDestroying evidence and obtaining only temporary reliefReproducible recovery and a mechanism demonstrated afterward

Change one variable at a time when risk allows it

A severe incident may require combined actions. When several actions are applied, record them precisely and stagger them where possible. Otherwise, recovery cannot be attributed to a specific change.

Define abort criteria

Before the change, define:

A mitigation without abort criteria is another uncontrolled production experiment.

Step 10: verify recovery

“It is responding again” is not verification.

Recovery must be checked in the same population and with the same signals that confirmed the incident:

Compare against baseline, not against the worst minute

A P99 reduction from 2.4 s to 1.5 s is an improvement, not recovery, when the baseline was 600 ms.

Define:

There is no universal observation window. A high-volume service may demonstrate statistical stability in minutes; an hourly batch process must be observed through at least the next relevant cycle.

Verify from outside and inside

Robust recovery combines:

Google SRE notes that monitoring should make it possible to compare behavior before and after a change. It also emphasizes telemetry freshness: when data arrives too late, responders may attribute an effect to the wrong action.

Case study: latency caused by connection-pool wait time

The following scenario is constructed to demonstrate the method. Its values are not a recommended configuration or a universal limit.

Scenario

An order-creation API maintains 220 logical requests per second. Its normal P99 is 600 ms. At 22:14 UTC, P99 rises to 2.4 s and the error rate increases from 0.3 percent to 2.1 percent.

CPU remains between 48 and 55 percent. The duration of the main database queries remains close to 85 ms. The time required to acquire a connection, however, increases sharply.

Step A: confirm and scope

The degradation affects:

It does not affect:

Step B: observe attempts, not only requests

Before the incident:

During the incident:

Calculation:

Text
total_attempts = logical_requests + additional_retries
total_attempts = 220 + 88 = 308 attempts/s
amplification = 308 / 220 = 1.40

User traffic did not increase. Technical load increased by 40 percent.

Step C: review capacity and waiting

Observed assumptions:

This calculation does not represent safe capacity because it ignores variance, overhead, long transactions, and the distribution of hold times. It shows that the system is operating close to a theoretical limit. Near saturation, small variations create queues and wait time grows before CPU or query duration appears abnormal.

Observed metrics:

SignalBaselineIncident
Logical requests220/s220/s
Additional retries4.4/s88/s
Total attempts224.4/s308/s
Pool pending requests0–365
Pool-wait P9945 ms1,840 ms
Query-duration P99110 ms118 ms
API P99600 ms2,400 ms

Step D: compare traces

Healthy trace:

Text
create-order                  540 ms
├─ validate-request            35 ms
├─ acquire-db-connection       18 ms
├─ insert-order               102 ms
├─ reserve-inventory          210 ms
└─ publish-event               75 ms

Slow trace:

Text
create-order                2,320 ms
├─ validate-request            37 ms
├─ acquire-db-connection    1,760 ms
├─ insert-order               108 ms
├─ reserve-inventory          225 ms
└─ publish-event               82 ms

The query does not dominate the difference. The wait occurs before query execution.

Step E: correlate logs

Logs associated with slow trace IDs show:

Step F: formulate the hypothesis

Version 2026.07.12-3 increased internal concurrency and enabled retries on acquisition timeouts. Additional attempts pushed the pool close to saturation; the acquisition queue increased P99 and produced new timeouts, which generated more retries.

Prediction:

If internal concurrency is limited and retries for POOL_WAIT_TIMEOUT are removed, total attempts and pool wait time should fall before query duration changes.

Step G: mitigate

Staged actions:

  1. Disable retries on acquisition timeout through a feature flag.
  2. Limit internal concurrency for the affected version.
  3. Keep the pool at 100 connections until database headroom is verified.

The pool is not increased automatically because the database could become the next saturated resource.

Step H: verify

After mitigation:

SignalResult
Logical requests218–224/s
Additional retries5–7/s
Pool pending requests0–4
Pool-wait P9952 ms
Query-duration P99115 ms
API P99680–740 ms
Error rate0.35%

The sequence matters:

  1. Retries fall.
  2. Total attempts fall.
  3. Waiters decrease.
  4. API P99 falls.
  5. Query duration remains stable.

This result supports the amplification-and-pool-wait hypothesis. The team still needs to prove which specific change increased concurrency and why the retry policy treated a saturation timeout as a recoverable transient failure.

Amplification loop caused by retries and a saturated pool Loop diagram in which concurrency saturates a pool, increases waiting, creates timeouts, and triggers retries that further increase concurrency. More internal concurrency More simultaneous requests Pool near its limit Connection wait high P99 Acquisition timeout Additional retry each retry adds load
Amplification loop caused by retries and a saturated pool. A retry converts initial saturation into additional demand. The system enters a feedback loop until concurrency, retries, or incoming load is constrained.

Prevention derived from the case

The same mechanism can propagate into cascading failures when timeouts and retries consume resources in upstream services.

What to do when signals contradict one another

A contradiction usually means that the signals observe different populations, clocks, or stages of the request path.

Case 1: metrics show errors, but logs do not

Possible explanations:

Decision: validate the measurement point, look for a trace or independent external signal, and check for loss in the log pipeline.

Case 2: logs show errors, but there is no visible impact

Possible explanations:

Decision: measure frequency, population, and functional outcome before escalating the incident.

Case 3: traces do not show slow cases

Possible explanations:

Decision: review sampling policy, span loss, and traceparent propagation.

Case 4: client and server report different latency

Possible explanations:

Decision: decompose the path and define exactly where each metric starts and ends.

Method for resolving contradictions

  1. Validate the same time window.
  2. Validate the same population and labels.
  3. Confirm the unit and metric definition.
  4. Compare source and ingestion timestamps.
  5. Review sampling and telemetry loss.
  6. Find an independent signal.
  7. Prefer evidence closest to the outcome being explained.

Common mistakes during incidents

Changing several variables without recording them

This prevents attribution of recovery and may introduce a second failure.

Restarting before preserving evidence

A restart removes heaps, connections, queues, locks, and state that could demonstrate the mechanism. Restarting may be necessary, but it must be a conscious decision.

Investigating the entire platform

This increases noise. Scope first by operation, population, version, and dependency.

Using averages to declare recovery

This hides slow tails and extreme user experiences. Review the distribution.

Confusing correlation with causality

Two simultaneous signals can share a cause. A prediction and a test are required.

Automatically blaming the latest deployment

A deployment is a temporal candidate, not a demonstrated cause. It may activate a latent condition or merely coincide with an external change.

Searching logs before scoping

This produces broad, slow queries dominated by irrelevant events.

Treating every retry as recovery

A retry can recover a transient failure or amplify saturation. Measure it as additional load.

Declaring root cause from the mitigation

“Latency fell after increasing the pool” does not prove that the pool was undersized. The change may have hidden a leak, a concurrency increase, or a transaction holding connections too long.

Closing without checking integrity and backlog

Latency can return to baseline while accumulated messages, duplicated transactions, or incomplete processes remain.

For a broader framework for structured incident investigation, the troubleshooting article covers diagnosis beyond the specific correlation of observability signals.

Minimum roles in an incident room

Not everyone should run queries or propose changes at the same time.

A minimum structure includes:

In small teams, one person can hold more than one role. What matters is that the functions exist and leadership is not implicit.

The incident-response model described by Google relies on defined functions and standardized communication so the response can scale without losing coordination.

After the incident: document without duplicating the diagnosis

The postmortem should record:

Google SRE defines a postmortem as a record of the incident, impact, mitigation, causes, and follow-up actions. It also recommends a blameless culture that examines system conditions instead of turning the document into an individual sanction.

Actions without an owner tend not to be completed. The SRE Workbook recommends explicit ownership and a single accountable owner supported by collaborators.

This article does not develop the full postmortem discipline in order to avoid cannibalizing the dedicated piece. See how to write a postmortem that prevents recurrence.

Close observability gaps

The output of an incident should not be an indiscriminate instruction to “add more logs.”

The correct question is which decision the team could not make and which signal would have reduced that uncertainty.

Review questions

Convert the gap into a requirement

Weak action item:

Improve pool observability.

Executable action item:

Instrument pending_requests, timeouts, and wait time by service.name, version, and pool; add links from the RED dashboard to traces filtered by operation; owner: platform team; due date: 2026-07-26; acceptance criterion: a load test must distinguish connection wait time from query duration.

Useful telemetry is not the telemetry that accumulates the most data. It is the telemetry that reduces uncertainty in a decision.

Operational learning cycle Cycle that converts an incident and evidence gap into a telemetry requirement, acceptance test, and shorter diagnosis time. Incident Evidence gap Telemetry requirement Instrumentation or runbook Acceptance test Lower diagnosis time learning closes the cycle
Operational learning cycle. Each incident should turn a real uncertainty into a verifiable improvement in instrumentation, alerting, automation, or procedure.

Operational checklist

Detection

Scope

Timeline

Evidence

Hypothesis

Action

Recovery

Learning

Frequently asked questions

What should be checked first during an incident?

First confirm the impact and the affected population. For request-oriented services, Rate, Errors, and Duration provide an initial triage frame; then review saturation, queues, dependencies, and resilience mechanisms. Searching all platform logs before scoping usually increases noise.

What is the difference between mitigation and root cause?

A mitigation reduces impact. The cause explains the mechanism that produced the incident and the factors that allowed it to escalate. A restart, rollback, or capacity increase can restore service without proving the cause.

How is a Trace ID used?

A trace_id identifies the distributed path of a request. It is used to open the complete trace and filter logs emitted in that context. The span_id narrows the search to a specific operation. Continuity depends on correct context propagation between services.

What should a timeline include?

Alerts, metric changes, deployments, configuration changes, dependency failures, decisions, mitigations, and results. It should be built during the incident, use a common time zone, and separate event time from observation time when ingestion delays exist.

When should an incident be closed?

When impact is controlled, primary signals have returned to an acceptable range, backlog and integrity have been verified, and the observation period covers a sufficient cycle for the load pattern. Closure does not require the postmortem to be complete, but pending risks and actions must be transferred explicitly.

What should a postmortem include?

Impact, detection, timeline, technical cause, contributing factors, mitigation, recovery, lessons, and actions with owners and dates. It should focus on the system and decision conditions rather than blaming individuals.

Conclusion

Investigating an incident does not mean opening every available tool. It means reducing uncertainty in a controlled way.

Metrics answer what changed, by how much, and for whom. Traces show where time is consumed or an error appears along the request path. Logs provide the specific event and state. No individual signal automatically provides the cause.

The operational sequence is:

  1. Protect the operation and data integrity.
  2. Confirm real impact.
  3. Scope the affected population.
  4. Build the timeline while the incident is happening.
  5. Use metrics to locate the symptom.
  6. Use traces to narrow the degraded path.
  7. Use logs to obtain precise context.
  8. Formulate a hypothesis with a prediction and refutation criterion.
  9. Mitigate reversibly.
  10. Verify against baseline, SLO, queues, and integrity.

The test of a strong investigation is not the number of dashboards consulted. It is whether every decision can be connected to evidence, whether recovery is measurable, and whether the next incident encounters fewer blind spots than the previous one.

Technical sources

Jorel del Portal

Jorel del Portal

Systems engineer specialized in enterprise software architecture and high-availability platforms.