Business Observability, Correlation, Diagnostics, Runbooks, and Support Tooling
Observability, Supportability, and Operational Model
Membuat lifecycle quote/order dapat didiagnosis dan dipulihkan tanpa database archaeology.
Part 047 — Business Observability, Correlation, Diagnostics, Runbooks, and Support Tooling
Positioning
Observability pada enterprise Quote-to-Order bukan hanya:
- CPU;
- memory;
- request latency;
- error rate;
- dan pod health.
Sistem dapat terlihat sehat secara infrastructure tetapi bisnis tetap gagal:
- Quote tertahan di approval;
- accepted Offer tidak menghasilkan Product Order;
- Order Item menunggu barrier yang salah;
- Product aktif tetapi Billing charge tidak dibuat;
- Inventory dan fulfillment berbeda;
- retries menciptakan duplicate supplier order;
- atau satu tenant mengalami backlog tanpa alarm platform.
Supportability juga bukan berarti memberi support engineer akses SQL production.
Core thesis: observability harus dimulai dari business invariants dan operational questions. Setiap lifecycle membutuhkan correlation, state age, reason code, attempt history, expected next action, authority, evidence, reconciliation, dan safe repair command—sehingga diagnosis dan recovery dapat dilakukan tanpa database archaeology.
1. Observability
Observability adalah kemampuan menyimpulkan internal system state dari signals yang tersedia.
2. Monitoring
Monitoring memeriksa kondisi yang sudah diketahui melalui metrics, checks, atau alerts.
3. Observability versus Monitoring
Monitoring asks:
Is the known condition healthy?
Observability asks:
Why is this specific lifecycle behaving unexpectedly?
4. Supportability
Supportability adalah kemampuan product untuk:
- ditemukan;
- dipahami;
- didiagnosis;
- direkonsiliasi;
- dipulihkan;
- dan dijelaskan
oleh authorized operational users.
5. Operability
Operability mencakup:
- deployment;
- runtime control;
- scaling;
- incident handling;
- maintenance;
- backup/restore;
- and recovery.
6. Business Observability
Business observability memantau facts dan invariants domain.
Examples:
- Quote state age;
- approval wait time;
- acceptance-to-order latency;
- Product activation-to-billing lag;
- reconciliation mismatch count;
- and manual recovery rate.
7. Technical Observability
Technical observability covers:
- application latency;
- throughput;
- errors;
- saturation;
- logs;
- traces;
- queues;
- database;
- and infrastructure.
8. Combined View
Business and technical signals must correlate.
Example:
Order backlog rose because supplier API latency exceeded timeout,
which created UNKNOWN attempts and blocked dependency barriers.
9. Operational Question First
Before selecting tools, list questions support must answer.
10. Core Quote Question
Why can this Quote not be submitted, approved, presented, or accepted?
11. Core Order Question
Why is this Product Order or Item not progressing?
12. Core Inventory Question
What Product actually exists, and which Order created or changed it?
13. Core Billing Question
Why is this Product not billed, or why is this charge still active?
14. Core Recovery Question
What is the safest next command, and what evidence is required?
15. Golden Signals
Technical golden signals commonly include:
- latency;
- traffic;
- errors;
- saturation.
16. Domain Golden Signals
Useful domain signals include:
- lifecycle throughput;
- state age;
- failure/fallout rate;
- business lag;
- duplicate rate;
- mismatch rate;
- and recovery time.
17. RED Method
For request-driven services:
- Rate;
- Errors;
- Duration.
18. USE Method
For resources:
- Utilization;
- Saturation;
- Errors.
19. Domain RED
For a business command:
- command rate;
- rejected/failed/unknown rate;
- completion duration.
20. Lifecycle Funnel
Example:
Quote Created
-> Submitted
-> Approved
-> Presented
-> Accepted
-> Product Order Created
-> Product Activated
-> Billing Activated
21. Funnel Conversion
Measure transition success from one stage to next.
22. Funnel Drop-Off
Drop-off may reveal:
- validation failure;
- approval delay;
- customer abandonment;
- integration failure;
- or missing event.
23. Funnel Cohort
Segment by:
- tenant;
- market;
- product;
- channel;
- value;
- and software version.
24. Business Latency
Time between meaningful lifecycle facts.
25. Quote Creation-to-Submission
Measures configuration/sales-cycle process behavior.
26. Submission-to-Approval
Approval wait and processing time.
27. Approval-to-Presentation
Proposal/rendering and channel delay.
28. Acceptance-to-Order
Quote-to-Order transformation latency.
29. Order-to-Activation
Fulfillment lead time.
30. Activation-to-Billing
Revenue-leakage-sensitive lag.
31. Time Categories
For long-running flow, separate:
- active processing;
- waiting for dependency;
- waiting for customer;
- waiting for approval;
- retry delay;
- and manual queue time.
32. State Age
Current time minus time entered current state.
33. State Entry Time
Must be recorded explicitly.
34. State Age Threshold
Threshold should depend on:
- state;
- product;
- priority;
- tenant tier;
- and SLA.
35. Stuck versus Slow
A slow process may still progress.
A stuck process has no valid progression or expected action.
36. Expected Next Action
Every non-terminal lifecycle should expose:
- expected event/command;
- responsible owner;
- timer/deadline;
- and dependency.
37. Progress Marker
Examples:
- last completed node;
- last aggregate version;
- last received event;
- last retry;
- and last reconciliation.
38. Heartbeat
Useful for long-running external work, but heartbeat absence does not prove business failure.
39. Milestone Observability
Track achieved and missing milestones.
40. Barrier Observability
A barrier should show:
- required predecessors;
- satisfied inputs;
- missing inputs;
- timeout;
- and release policy.
41. Dependency Observability
Explain blocked node path.
42. Why-Is-It-Waiting View
Example:
Order Item OI-45 is waiting on INSTALLATION_READY.
INSTALLATION_READY requires:
- Capacity reservation: complete
- Router delivery: complete
- Site access confirmation: missing
Owner: Customer Operations
Due: 2026-07-12 10:00 Asia/Jakarta
43. Reason Code
Stable machine-readable classification.
44. Reason Message
Human-readable explanation.
45. Reason Detail
Structured context:
- failed rule;
- field;
- dependency;
- downstream code;
- and evidence reference.
46. Reason Taxonomy
Should cover:
- validation;
- authorization;
- business conflict;
- dependency;
- technical;
- timeout;
- unknown outcome;
- external rejection;
- and data mismatch.
47. Reason Ownership
Each reason code has owning context/team.
48. Reason Actionability
Reason should suggest:
- retry;
- correct data;
- request approval;
- reconcile;
- replan;
- contact customer;
- or manual review.
49. Generic Error Smell
PROCESSING_FAILED
is insufficient without structured cause.
50. Correlation Identity
Correlation connects related operations across contexts.
51. Primary Business Correlations
Examples:
- Quote ID;
- Quote Revision;
- Offer/Proposal ID;
- Acceptance ID;
- Agreement ID;
- Product Order ID;
- Order Item ID;
- Fulfillment Plan ID;
- Product ID;
- Billing Charge ID;
- and Fallout ID.
52. Technical Correlations
Examples:
- trace ID;
- span ID;
- request ID;
- command ID;
- operation ID;
- event ID;
- attempt ID;
- and idempotency key reference.
53. Correlation versus Identity
Correlation groups related work.
It does not replace stable resource identity.
54. Causation
Links one command/event to the next effect.
55. Correlation Propagation
Propagate through:
- HTTP headers;
- message envelopes;
- workflow context;
- logs;
- and audit.
56. Correlation Loss
Common at:
- async boundaries;
- retries;
- batch fan-out;
- external callbacks;
- and manual recovery.
57. Correlation Restoration
Use stable business keys to reattach external callback or existing effect.
58. Correlation Cardinality
Avoid putting raw high-cardinality IDs on every metrics series.
Use logs/traces for individual IDs.
59. Trace
A distributed trace represents one causal operation path.
60. Span
One unit of work within trace.
61. Span Attributes
Possible:
- context;
- command;
- resource type;
- tenant cohort;
- result;
- downstream;
- and retry attempt.
62. Sensitive Span Data
Do not include:
- full proposal;
- PII;
- cost;
- secrets;
- and raw tokens.
63. Async Trace Link
Messages may use trace links rather than direct parent-child when processing is delayed/fan-out.
64. Long-Running Trace
One trace over days may be impractical.
Use business correlation plus per-operation traces.
65. Trace Sampling
Use:
- head sampling;
- tail sampling;
- error sampling;
- high-value transaction sampling;
- and tenant-aware controlled sampling.
66. Tail Sampling
Keeps traces based on final outcome/latency.
67. Sampling Risk
Rare critical business failures may be missed.
68. Trace Retention
Different from audit retention.
69. Log
Structured diagnostic record.
70. Structured Logging
Prefer fields over concatenated strings.
71. Log Fields
Representative:
timestamp
level
service
context
tenantCohort
operation
resourceType
resourceId
version
correlationId
causationId
attemptId
reasonCode
outcome
72. Log Level
- DEBUG;
- INFO;
- WARN;
- ERROR.
Use consistently.
73. Error Log
One failure should not generate dozens of duplicate ERROR logs across layers.
74. Error Ownership
Log ERROR at layer that owns action/remediation.
Lower layers can add context at lower severity.
75. Stack Trace
Useful for unexpected code failure, not every domain rejection.
76. Domain Rejection Log
Structured INFO/WARN depending significance.
77. Log Redaction
Protect sensitive fields.
78. Log Injection
Sanitize untrusted text/newlines.
79. Log Volume
High-volume item processing can overload logging.
80. Dynamic Logging
Temporary scoped increase for:
- tenant;
- Order;
- service;
- or correlation.
Must expire automatically.
81. Debug Session
Case-linked, authorized, time-limited.
82. Audit Query
Operational support may need read-only audit timeline.
83. Audit versus Log Timeline
Audit proves actions; logs explain implementation symptoms.
84. Unified Timeline
A support view can combine:
- domain transitions;
- events;
- commands;
- attempts;
- audit;
- and alerts.
Each item retains source authority.
85. Metrics
Numeric time-series signals.
86. Counter
Monotonic count of events.
87. Gauge
Current value such as queue depth.
88. Histogram
Distribution for latency/size.
89. Summary
Client-side quantiles; often less aggregatable.
90. Percentiles
Use p50, p90, p95, p99 based on use case.
91. Average Trap
Average hides long-tail latency.
92. Cardinality
Metrics dimensions must be bounded.
93. High-Cardinality Labels
Avoid:
- Quote ID;
- Order ID;
- customer name;
- raw error message.
94. Useful Metric Dimensions
Controlled dimensions:
- context;
- operation;
- state;
- reason class;
- product family;
- market;
- tenant tier;
- and version.
95. Exemplars
Link a metric sample to trace without high-cardinality label.
96. SLI
Service Level Indicator measures service behavior.
97. SLO
Target for SLI over window.
98. SLA
External/contractual commitment.
99. Error Budget
Allowed unreliability under SLO.
100. Technical SLI
Examples:
- API availability;
- command latency;
- event lag;
- database saturation.
101. Business SLI
Examples:
- accepted-to-order success;
- Product activation success;
- Billing activation lag;
- reconciliation closure time.
102. Correctness SLI
Examples:
- duplicate Order rate;
- invalid transition rate;
- missing lineage;
- and mismatch rate.
103. Timeliness SLI
Examples:
- state progression within target;
- approval within target;
- and event projection freshness.
104. Completeness SLI
Examples:
- every accepted item has transformation outcome;
- every completed ADD has Product outcome;
- every active billable Product has charge.
105. SLO Scope
Define by:
- operation;
- tenant tier;
- market;
- product class;
- and maintenance exclusions.
106. Availability SLO Risk
A service may return 200 while business result is invalid.
107. Semantic Availability
Operation is available only if it can produce correct governed outcome.
108. Dependency SLO
External dependencies should have:
- availability;
- latency;
- timeout;
- and error contract.
109. Composite SLO
End-to-end lifecycle depends on multiple components.
110. Error Budget Policy
Can influence:
- feature rollout;
- reliability work;
- and incident response.
111. Alert
Notification that action may be required.
112. Symptom-Based Alert
Alert on customer/business impact.
113. Cause-Based Alert
Alert on suspected technical cause.
114. Symptom First
Prefer alerts like:
Acceptance-to-Order completion below target
over only:
CPU > 80%
115. Alert Actionability
Every alert should have:
- owner;
- severity;
- runbook;
- context;
- and expected action.
116. Alert Fatigue
Too many noisy alerts reduce response quality.
117. Alert Deduplication
Group related symptoms.
118. Alert Suppression
During known maintenance or parent incident, with controls.
119. Multi-Window Burn Rate
Detect fast and slow SLO consumption.
120. State-Age Alert
Example:
APPROVAL_PENDING > threshold
121. Queue-Age Alert
Oldest item is often more informative than queue size.
122. Unknown-Outcome Alert
High risk because retry/compensation is blocked.
123. Duplicate Alert
Examples:
- duplicate Acceptance;
- Product Order;
- Inventory Product;
- Billing Charge.
124. Reconciliation Alert
Mismatch count/age exceeds target.
125. Outbox Alert
Outbox oldest unpublished record age.
126. Consumer Lag Alert
Use business impact and partition-specific context.
127. DLQ Alert
Every new critical DLQ record must have ownership.
128. Reservation Leak Alert
Expired/ownerless reservations.
129. Timer Alert
Durable timer missing, overdue, or duplicated.
130. Workflow Stuck Alert
No progress marker within expected window.
131. Data Quality Alert
Impossible state or broken lineage.
132. Tenant-Specific Alert
Large tenant may need dedicated threshold and routing.
133. Release Regression Alert
Compare version/cohort.
134. Alert Context
Include:
- service/context;
- affected operation;
- reason;
- start time;
- affected cohort;
- relevant dashboard;
- and runbook.
135. Dashboard
A dashboard should answer a defined operational question.
136. Executive Dashboard
Shows:
- lifecycle throughput;
- conversion;
- lead time;
- correctness;
- and customer impact.
137. Product Operations Dashboard
Shows state funnels, backlog, fallout, and SLA.
138. Engineering Dashboard
Shows latency, errors, saturation, event lag, and DB/queue health.
139. Support Dashboard
Searches and explains individual transaction.
140. Reconciliation Dashboard
Shows mismatches by authority, severity, and age.
141. Tenant Health Dashboard
Shows cohort/tenant-specific impact with controlled access.
142. Release Dashboard
Compares old/new version or canary cohort.
143. Quote Dashboard
Useful views:
- Quotes by state;
- state age;
- pricing errors;
- approval backlog;
- proposal generation failures;
- acceptance failures.
144. Order Dashboard
Useful views:
- Orders by state;
- Item status;
- critical path;
- active attempts;
- stuck barriers;
- fallout;
- cancellation.
145. Inventory Dashboard
Useful views:
- planned/active/terminating;
- missing lineage;
- Product outcome lag;
- reconciliation mismatch.
146. Billing Dashboard
Useful views:
- handoff status;
- active Products without charges;
- terminated Products with active charges;
- activation lag;
- duplicate charges.
147. Dashboard Anti-Pattern
One giant dashboard with hundreds of unrelated panels.
148. Drill-Down
From aggregate metric to:
- cohort;
- context;
- transaction search;
- and trace/log/audit timeline.
149. Support Search
Search by business IDs and external references.
150. Search Inputs
- Quote number;
- Acceptance ID;
- Agreement;
- Order;
- Product;
- supplier reference;
- Billing Charge;
- customer/account/site;
- correlation;
- and idempotency key reference.
151. Search Authorization
Search must enforce tenant/object/field permissions.
152. Search Freshness
Show projection update time/version.
153. Authoritative Read
Support action guards must query authority, not stale search index.
154. Support Case Context
Attach diagnostic session to support/incident case.
155. Support Timeline
Displays:
- lifecycle transitions;
- state age;
- commands;
- events;
- attempts;
- failures;
- manual changes;
- and current blockers.
156. Support Dependency Graph
Visualize active Plan/orchestration graph.
157. Support Diff
Compare:
- Quote revisions;
- as-ordered/as-built;
- expected/actual Billing;
- and old/new Plan.
158. Support Evidence
Links to immutable:
- price snapshot;
- approval;
- proposal;
- acceptance;
- and reconciliation.
159. Support Actions
Only explicit authorized commands.
160. Support Action Preview
Show:
- preconditions;
- intended state change;
- downstream effects;
- risk;
- and required approval.
161. Support Action Result
Per-command operation ID, outcome, and reconciliation.
162. Direct Database Access
Should not be standard support workflow.
163. Database Archaeology
Manual joins across tables to infer lifecycle.
Symptoms:
- no unified identity;
- no state history;
- no event timeline;
- and no support projection.
164. Database Access Exception
If unavoidable:
- read-only by default;
- case-linked;
- JIT;
- audited;
- and replaced with product capability backlog.
165. Safe Repair Tooling
Examples:
- RetryOperation;
- ReconcileExternalOutcome;
- RebuildProjection;
- LinkExistingExternalResource;
- ReleaseStaleReservation;
- ReplanAffectedScope;
- CorrectLineage;
- and RecordManualCompletion.
166. Unsafe Repair Tooling
Examples:
- SetAnyStatus;
- DeleteFailedEvent;
- IncrementVersion;
- ClearAllLocks;
- ExecuteArbitrarySQL.
167. Repair Command Guard
Check:
- resource version;
- current state;
- authority;
- active attempts;
- idempotency;
- and evidence.
168. Repair Command Idempotency
Repeated same command must converge safely.
169. Repair Dry Run
Useful for:
- bulk reconciliation;
- data correction;
- and replan.
170. Bulk Repair
Needs:
- impact query;
- canary;
- per-item result;
- stop/continue policy;
- and manifest.
171. Repair Audit
Record before/after, actor, reason, case, and outcome.
172. Repair Reconciliation
After repair, verify all affected authorities/projections.
173. Runbook
Runbook is tested operational procedure.
174. Runbook Contents
- trigger/alert;
- impact;
- diagnosis;
- safety checks;
- containment;
- recovery;
- validation;
- escalation;
- and post-incident follow-up.
175. Runbook Owner
Named team/role.
176. Runbook Version
Track version and last tested date.
177. Runbook Preconditions
Required access, tools, and evidence.
178. Runbook Decision Tree
Branch by observed facts.
179. Runbook Automation
Automate deterministic safe steps.
180. Runbook Danger
Blind copy-paste commands can amplify incident.
181. Executable Runbook
Tool-guided workflow with guards and audit.
182. Runbook Test
Use game days or staging simulations.
183. Runbook Drift
Procedure no longer matches current architecture.
184. Operational Readiness Review
Before release verify:
- metrics;
- alerts;
- dashboard;
- runbook;
- repair;
- ownership;
- capacity;
- and rollback.
185. Production Readiness Checklist
Should be required for new critical lifecycle.
186. Service Catalog
Inventory of services/contexts and operational metadata.
187. Service Catalog Fields
- owner;
- on-call;
- repository;
- deployment;
- dependencies;
- SLO;
- dashboard;
- alerts;
- runbooks;
- data stores;
- and contracts.
188. Dependency Map
Shows runtime dependencies and criticality.
189. Critical Dependency
Failure blocks core business flow.
190. Optional Dependency
Can fail open or degrade.
191. Dependency Failure Policy
Document:
- timeout;
- retry;
- circuit;
- fallback;
- and manual process.
192. Failure Mode and Effects Analysis
List failure mode, effect, detection, mitigation, and recovery.
193. Operational Hazard Analysis
Focus on high-impact combinations:
- timeout + retry;
- stale cache + acceptance;
- event gap + Billing;
- and partial compensation.
194. Game Day
Controlled exercise of operational scenario.
195. Chaos Experiment
Inject technical failure with safety limits.
196. Business Chaos Scenario
Examples:
- duplicate event;
- delayed supplier;
- missing Product activation;
- stale approval;
- and Billing mismatch.
197. Abort Condition
Every experiment needs stop criteria.
198. Evidence Capture
Record experiment and observed behavior.
199. Recovery Objective
Define expected recovery time and residual state.
200. Incident
Unplanned interruption, degradation, or correctness risk.
201. Incident Severity
Based on:
- customer impact;
- financial impact;
- tenant count;
- security/regulatory risk;
- and duration.
202. Incident Commander
Coordinates response.
203. Technical Lead
Leads diagnosis/recovery.
204. Communications Lead
Coordinates stakeholder/customer updates.
205. Scribe
Maintains timeline and decisions.
206. Incident Timeline
Combine:
- alert;
- deployment;
- state changes;
- commands;
- and communications.
207. Containment
Stop additional harm.
Examples:
- pause consumer;
- disable mapping;
- block acceptance;
- halt Billing;
- or tenant-scoped kill switch.
208. Mitigation
Restore service or reduce impact.
209. Recovery
Return to safe intended state.
210. Resolution
Incident no longer active, residual tasks remain tracked.
211. Post-Incident Review
Focus on systemic learning, not blame.
212. Root Cause
Underlying condition enabling incident.
213. Trigger
Immediate event exposing condition.
214. Contributing Factors
Multiple system/process weaknesses.
215. Corrective Action
Prevents recurrence or improves detection/recovery.
216. Action Owner and Due Date
Required for follow-through.
217. Recurrence Detection
Track similar reason codes/incidents.
218. Problem Management
Longer-term elimination of recurring incidents.
219. Known Error
Document root cause and safe workaround.
220. Error Budget Review
Reliability work may be prioritized when budget exhausted.
221. On-Call Model
Define:
- primary;
- secondary;
- escalation;
- business/domain expert;
- and vendor contact.
222. Follow-the-Sun
Can reduce response time but needs clean handoff.
223. On-Call Handoff
Include active incidents, risky changes, and backlog.
224. On-Call Load
Measure pages, interruptions, and after-hours burden.
225. Page Quality
Actionable pages, low noise.
226. Operational Toil
Manual repetitive work with low enduring value.
227. Toil Examples
- manual retry;
- SQL status repair;
- copying IDs;
- and daily mismatch spreadsheet.
228. Toil Reduction
Automate with guarded product capabilities.
229. Supportability Backlog
Track missing:
- correlation;
- diagnostics;
- reason codes;
- repair commands;
- and runbooks.
230. Operational Ownership
Team owns production behavior, not only code delivery.
231. Operational Capability Boundary
Some shared capabilities may be platform-provided:
- telemetry;
- alerting;
- tracing;
- incident tooling;
- and audit transport.
Domain team owns business signals and runbooks.
232. Environment Parity
Staging should reproduce important operational behavior.
233. Synthetic Transaction
Continuously tests critical flow.
234. Synthetic Quote Flow
Create/configure/price/test Quote using non-production tenant/data.
235. Synthetic Order Flow
Exercise transformation and controlled downstream test doubles.
236. Synthetic Safety
Must not create real customer/Billing effects.
237. Canary
Small production cohort receives new version.
238. Canary Metrics
Compare:
- latency;
- errors;
- business funnel;
- mismatches;
- and support signals.
239. Dark Launch
New code runs without affecting result.
240. Shadow Traffic
Replay/duplicate requests to new path with protected side effects.
241. Release Annotation
Dashboards mark deploy/config/rule changes.
242. Change Correlation
Link incident to:
- app version;
- schema;
- config;
- rule;
- workflow;
- and extension version.
243. Config Observability
Show active configuration epoch/version.
244. Rule Observability
Show rule/version and evaluation outcome.
245. Workflow Observability
Show workflow definition version per instance.
246. Mapping Observability
Show mapping version for transformation/handoff.
247. Dependency Version
Show external API/connector version.
248. Data Quality Observability
Track:
- missing identifiers;
- invalid relationships;
- duplicate outcomes;
- and authority mismatch.
249. Reconciliation as Observability
Reconciliation detects silent correctness failures that metrics/logs may miss.
250. Reconciliation Coverage
List each critical cross-context invariant and corresponding job/check.
251. Reconciliation Ownership
Every mismatch type needs owner and repair path.
252. Reconciliation Freshness
When was last successful check?
253. Reconciliation Blind Spot
No comparison exists for a critical boundary.
254. Operational Data Model
Support projection should represent:
- lifecycle;
- current state;
- blockers;
- attempts;
- dependencies;
- evidence;
- and safe actions.
255. Operational Projection
May combine multiple contexts but is not authoritative for mutation.
256. Projection Rebuild
Safe and automated.
257. Projection Consistency
Expose source versions and freshness.
258. Operational Search Index
Optimized for support queries.
259. Search Reconciliation
Detect missing/outdated indexed resources.
260. Support Tool Security
Tenant, object, and field authorization remain mandatory.
261. Support Tool Availability
During incident, support tool should not depend entirely on failed service path.
262. Break-Glass Diagnostic Read
Controlled path for critical diagnosis.
263. Sensitive Diagnostic Data
Mask cost, personal data, secrets, and internal topology as appropriate.
264. Customer-Facing Status
External status should be understandable and not expose internals.
265. Internal Status
More detailed reason, owner, and dependency.
266. Status Consistency
Customer portal, support, and operational system should map from authoritative lifecycle.
267. Communication Trigger
Operational incident may require customer notification task.
268. ETA Risk
Avoid giving unsupported completion ETA from raw average.
269. Confidence
If showing forecast, expose confidence/range and assumptions.
270. Operational Analytics
Use historical data for:
- bottleneck;
- fallout;
- lead time;
- capacity;
- and reliability improvement.
271. Cohort Analysis
Compare product, tenant tier, market, channel, and release.
272. Long-Tail Analysis
Inspect p99 and worst-case transactions.
273. State Transition Analysis
Find repeated loops and abnormal transitions.
274. Retry Analysis
Identify dependency and error classes causing retries.
275. Manual Recovery Analysis
Frequent manual commands indicate design gaps.
276. Support Case Linkage
Link product telemetry with support ticket category and resolution.
277. Privacy in Analytics
Use minimal/pseudonymized data and controlled access.
278. Cost Observability
Track telemetry/storage/query cost.
279. Log Cost
Avoid unlimited verbose logging.
280. Trace Cost
Sampling and retention policy.
281. Metrics Cost
Cardinality governance.
282. Operational Retention
Different signals need different retention.
283. Hot Storage
Recent searchable data.
284. Cold Archive
Longer-term compressed evidence/analytics.
285. Retention by Purpose
- incident;
- trend;
- audit;
- capacity;
- and legal.
286. Observability Failure
Telemetry pipeline can fail.
287. Telemetry Backpressure
Should not crash business service.
288. Critical Audit Difference
Mandatory audit may fail closed or use durable buffer.
289. Metrics Loss
Can create monitoring blind spot.
290. Health Check
Technical process health.
291. Liveness Probe
Can process continue/restart decision.
292. Readiness Probe
Can receive traffic safely.
293. Dependency Health
Do not make readiness fail for every optional dependency.
294. Business Readiness
A service may be technically ready but unable to execute required business operation due to missing config/mapping.
295. Startup Validation
Verify:
- config;
- schema;
- secret;
- topic;
- and critical dependency compatibility.
296. Graceful Degradation
Optional features fail without corrupting core flow.
297. Graceful Shutdown
Stop accepting work, finish/hand off, commit offsets safely.
298. Draining
Long-running workers stop claiming new tasks.
299. Pod Restart Safety
Durable workflow and idempotency allow recovery.
300. Operational Invariants
Representative invariants:
- every non-terminal lifecycle exposes state age and expected next action;
- every external effect has correlation and attempt identity;
- every critical mismatch has reconciliation owner;
- every repair action is explicit, authorized, idempotent, and audited;
- support can reconstruct lifecycle without direct database mutation;
- every actionable alert has owner and tested runbook;
- and telemetry failures do not silently corrupt business state.
301. Observability Smells
- only infrastructure metrics;
- no business funnel;
- no state age;
- and no reason taxonomy.
302. Logging Smells
- raw payload logging;
- duplicate stack traces;
- IDs only in free text;
- and dynamic debug never expires.
303. Tracing Smells
- trace stops at Kafka;
- one trace expected to live for weeks;
- and no business ID search.
304. Alerting Smells
- CPU alerts without customer symptom;
- no runbook;
- static threshold for all states;
- and DLQ ignored.
305. Dashboard Smells
- dashboard as wall decoration;
- no drill-down;
- stale projection not shown;
- and mixed tenant visibility.
306. Support Smells
- direct SQL;
- “set status” button;
- no preview;
- and no reconciliation after repair.
307. Runbook Smells
- copy-paste shell commands;
- no owner;
- not tested;
- and references retired services.
308. Operational Model Smells
- nobody owns cross-context lifecycle;
- incident handoff between teams loops;
- and on-call sees only technical service names.
309. Anti-Patterns
Metrics without Business Meaning
System appears healthy while orders are stuck.
Correlation by Timestamp
Ambiguous and unreliable.
Logs as State Store
History is incomplete and retention-dependent.
Alert Everything
Operators ignore pages.
Dashboard without Action
No diagnosis or recovery path.
Support SQL as Product Feature
Authority, audit, and invariants are bypassed.
Retry Button for UNKNOWN
Duplicate effects occur.
Runbook Never Exercised
Fails during incident.
310. Operational Question Template
## Question
## Authoritative Facts Required
## Correlation IDs
## Metrics / Logs / Traces / Audit
## Expected Normal State
## Failure Classifications
## Safe Actions
## Owner / Escalation
## Runbook
311. Business SLI Template
SLI:
Business scope:
Numerator:
Denominator:
Window:
Dimensions:
Exclusions:
Target:
Alert:
Owner:
312. Alert Template
Alert:
Customer/business symptom:
Condition:
Window:
Severity:
Affected cohort:
Owner:
Dashboard:
Runbook:
Automatic containment:
313. Support Timeline Template
Resource:
Current state/version:
State entered:
Expected next action:
Owner:
Dependencies/barriers:
Commands:
Events:
Attempts:
Reason codes:
Audit/evidence:
Safe actions:
314. Runbook Template
## Trigger / Alert
## Customer and Business Impact
## Preconditions / Access
## Diagnosis
## Authority and Safety Checks
## Containment
## Recovery Commands
## Reconciliation / Validation
## Escalation
## Communication
## Rollback / Residual Risk
## Post-Incident Actions
## Last Tested / Owner
315. Repair Command Template
Command:
Resource/version:
Case/incident:
Reason:
Preconditions:
Preview:
Idempotency:
Expected effects:
Authorization:
Audit:
Post-reconciliation:
316. Reconciliation Coverage Template
| Invariant | Authority A | Authority B | Window | Detector | Owner | Repair |
|---|---|---|---|---|---|---|
| Active Product has charge | Inventory | Billing | 15 min | scheduled/event | Billing Ops | Activate/link/correct |
| Accepted item has Order outcome | Acceptance | Product Order | 5 min | process sweep | Order Ops | Retry/reconcile |
| Completed ADD has Product | Order | Inventory | 10 min | completion barrier | Inventory Ops | Link/create after evidence |
317. Operational Readiness Template
## Ownership / On-Call
## SLIs / SLOs / Error Budget
## Metrics / Logs / Traces / Audit
## Dashboards
## Alerts
## Business Correlation
## State-Age / Stuck Detection
## Reconciliation
## Repair Commands
## Runbooks / Game Days
## Capacity / Degradation
## Security / Support Access
## Release / Rollback
318. Worked Example: Quote Approval Stuck
Dashboard shows:
- Quote
APPROVAL_PENDINGfor 18 hours; - one required approver group unresolved;
- policy version;
- assignment rule;
- owner queue;
- no technical errors.
Safe action:
- resolve assignment or escalate, not set Quote approved.
319. Worked Example: Acceptance without Order
Acceptance exists and event published.
Quote-to-Order process state is CREATING_ORDERS.
Downstream lookup finds one Order created after timeout.
Repair links existing Order and continues reconciliation.
320. Worked Example: Stuck Barrier
Order Item waits on installation barrier.
Support graph shows router shipment completed, capacity reserved, site access missing.
Customer Operations owns next action.
321. Worked Example: Duplicate Billing Risk
Billing activation operation timed out.
Support view shows state UNKNOWN and scheduled retry blocked.
Lookup by accepted charge ID finds active Billing Charge.
Reconciliation marks success and cancels retry.
322. Worked Example: Active Product Unbilled
Inventory activation occurred 40 minutes ago.
Billing SLO is 15 minutes.
Reconciliation opens high-priority case and estimates revenue leakage.
323. Worked Example: Stale Projection
Search says Order is IN_PROGRESS.
Authoritative Order version shows COMPLETED.
Support UI displays projection freshness and provides rebuild command.
324. Worked Example: Release Regression
Canary version shows 4× pricing p99 and increased timeout rate only for large bundles.
Release dashboard triggers rollback before broad rollout.
325. Worked Example: Tenant-Specific Incident
One tenant connector returns malformed callbacks.
Tenant-scoped kill switch and queue isolation protect other tenants.
326. Worked Example: Outbox Backlog
Oldest outbox record age exceeds target.
Business funnel shows Product activation events not reaching Billing.
Incident focuses on publisher rather than Billing first.
327. Worked Example: DLQ Poison Event
A new enum breaks one consumer.
DLQ entry is owned, correlated to event/schema version, and repaired using compatible consumer/upcaster.
328. Worked Example: Direct SQL Toil
Support manually updates 20 Order statuses each week.
Analysis creates explicit ReconcileOrderItemOutcome command and removes recurring SQL procedure.
329. Worked Example: Game Day
Team injects delayed supplier response and duplicate callback.
Expected behavior:
- UNKNOWN state;
- no blind retry;
- reconciliation;
- idempotent completion;
- and runbook execution.
330. Worked Example: Audit Pipeline Failure
Mandatory approval audit buffer reaches capacity.
High-risk approval actions fail closed while read-only operations remain available.
Alert and runbook guide recovery.
331. Worked Example: Large Multi-Site Order
Support dashboard summarizes 10,000 items by wave/site state and drills into one failed branch without loading entire graph.
332. Worked Example: Customer Status
Customer portal shows:
Installation scheduling requires customer site-access confirmation.
Internal view additionally shows barrier IDs, owner queue, attempts, and rule versions.
333. Senior Engineer Operating Model
Start with operational questions
Not telemetry products.
Instrument domain state and invariants
State age, expected next action, and reason codes.
Preserve correlation across async boundaries
Business and technical identities.
Design support views as product capabilities
Not database access.
Alert on symptoms and business risk
Then attach technical causes.
Make repairs explicit and safe
Guarded, idempotent, audited, reconciled.
Test runbooks and failure modes
Game days and chaos scenarios.
Measure operational toil
Convert recurring manual work into capability.
Correlate releases, config, rules, and incidents
Version is part of diagnosis.
334. Internal Verification Checklist
Lifecycle visibility
- Bisakah support menelusuri Quote-to-Order tanpa direct database access?
- Are current state, state entry time, expected next action, and owner visible?
- Can one view show Quote, Acceptance, Agreement, Orders, Products, and Billing lineage?
- Are partial outcomes and residual scope visible?
Correlation
- Bagaimana correlation identity dipertahankan lintas service dan events?
- Are command, event, operation, attempt, trace, and business IDs linked?
- Can external callbacks be reattached by stable business key?
- Can support search by all important internal/external IDs?
Metrics and alerts
- Apa alert untuk stuck Quote/Order, duplicate, atau reconciliation mismatch?
- Are business funnels and end-to-end lags measured?
- Are state-age thresholds state/product/tier aware?
- Are outbox, consumer lag, DLQ, unknown outcomes, and reservation leaks monitored?
Diagnostics
- Are reason codes stable, actionable, and owned?
- Can support see dependency/barrier explanations?
- Are logs structured and sensitive data redacted?
- Are trace gaps across async boundaries handled?
Reconciliation
- Which critical cross-context invariants have reconciliation?
- Are mismatch windows, owners, and repair commands explicit?
- Is reconciliation freshness visible?
- Can silent data-quality failures be detected?
Support tooling
- Are repair actions explicit domain commands?
- Do they support preview, expected version, idempotency, authorization, and audit?
- Are bulk corrections canaried and per-item?
- Is direct database mutation exceptional and tracked as product debt?
Runbooks and operations
- Runbook dan repair tools apa yang benar-benar diuji?
- Does every actionable alert link to a current runbook?
- Are game days/chaos scenarios performed?
- Are on-call ownership and escalation clear?
Release readiness
- Are dashboards/alerts annotated by application, config, rule, workflow, and mapping versions?
- Can canary cohorts be compared?
- Are business correctness signals part of release gates?
- Can telemetry/audit pipeline failures degrade safely?
335. Practical Exercises
Exercise 1 — Operational questions
Write 50 support questions and map required signals/authorities.
Exercise 2 — Business SLOs
Define SLOs for acceptance-to-order, order-to-activation, and activation-to-billing.
Exercise 3 — Support timeline
Design a unified timeline for one failed multi-site Order.
Exercise 4 — Alert review
Replace noisy infrastructure alerts with actionable business symptoms.
Exercise 5 — Repair catalog
Convert common SQL procedures into guarded domain commands.
Exercise 6 — Game day
Inject timeout, duplicate callback, event gap, projection lag, and Billing mismatch.
336. Part Completion Checklist
You are done if you can:
- distinguish monitoring, observability, supportability, and audit;
- define domain/business golden signals;
- measure lifecycle state age and business lag;
- propagate correlation across HTTP, events, workflows, and external callbacks;
- design structured logs, traces, metrics, and dashboards;
- detect stuck processes, duplicate effects, and reconciliation mismatches;
- provide secure support search and unified lifecycle timeline;
- replace database archaeology with safe repair commands;
- create tested runbooks and operational readiness reviews;
- and create an internal observability/supportability verification backlog.
337. Key Takeaways
- Infrastructure health does not guarantee business correctness.
- Observability should start from operational questions and invariants.
- State age and expected next action make long-running flows diagnosable.
- Business and technical correlation IDs must coexist.
- Reconciliation is a core observability mechanism.
- Alerts must be actionable and linked to tested runbooks.
- Support tooling should expose safe domain commands, not arbitrary status edits.
- Release/config/rule versions belong in operational diagnosis.
- Repeated manual recovery is measurable product debt.
- Internal CSG observability, support, and runbooks must be verified.
338. References
Conceptual baseline:
- Monitoring and observability practices using metrics, structured logs, distributed traces, exemplars, RED, USE, SLIs, SLOs, error budgets, and burn-rate alerting.
- Domain/business observability, state-age monitoring, reason taxonomies, correlation, long-running workflow diagnostics, and reconciliation.
- Incident management, operational readiness reviews, runbooks, game days, chaos engineering, post-incident reviews, and toil reduction.
- Secure support tooling, privileged diagnostics, explicit repair commands, audit trails, and tenant-aware operational projections.
- Distributed systems outbox/inbox, event lag, ambiguous outcomes, idempotency, and recovery.
These references do not define internal CSG monitoring platforms, alert thresholds, support tooling, on-call model, or operational targets.
You just completed lesson 47 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.
Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.