Series MapLesson 47 / 50
Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Final StretchOrdered learning track

Business Observability, Correlation, Diagnostics, Runbooks, and Support Tooling

Observability, Supportability, and Operational Model

Membuat lifecycle quote/order dapat didiagnosis dan dipulihkan tanpa database archaeology.

31 min read6081 words
PrevNext
Lesson 4750 lesson track42–50 Final Stretch
#observability#supportability#diagnostics#runbook+1 more

Part 047 — Business Observability, Correlation, Diagnostics, Runbooks, and Support Tooling

Positioning

Observability pada enterprise Quote-to-Order bukan hanya:

  • CPU;
  • memory;
  • request latency;
  • error rate;
  • dan pod health.

Sistem dapat terlihat sehat secara infrastructure tetapi bisnis tetap gagal:

  • Quote tertahan di approval;
  • accepted Offer tidak menghasilkan Product Order;
  • Order Item menunggu barrier yang salah;
  • Product aktif tetapi Billing charge tidak dibuat;
  • Inventory dan fulfillment berbeda;
  • retries menciptakan duplicate supplier order;
  • atau satu tenant mengalami backlog tanpa alarm platform.

Supportability juga bukan berarti memberi support engineer akses SQL production.

Core thesis: observability harus dimulai dari business invariants dan operational questions. Setiap lifecycle membutuhkan correlation, state age, reason code, attempt history, expected next action, authority, evidence, reconciliation, dan safe repair command—sehingga diagnosis dan recovery dapat dilakukan tanpa database archaeology.


1. Observability

Observability adalah kemampuan menyimpulkan internal system state dari signals yang tersedia.


2. Monitoring

Monitoring memeriksa kondisi yang sudah diketahui melalui metrics, checks, atau alerts.


3. Observability versus Monitoring

Monitoring asks:

Is the known condition healthy?

Observability asks:

Why is this specific lifecycle behaving unexpectedly?

4. Supportability

Supportability adalah kemampuan product untuk:

  • ditemukan;
  • dipahami;
  • didiagnosis;
  • direkonsiliasi;
  • dipulihkan;
  • dan dijelaskan

oleh authorized operational users.


5. Operability

Operability mencakup:

  • deployment;
  • runtime control;
  • scaling;
  • incident handling;
  • maintenance;
  • backup/restore;
  • and recovery.

6. Business Observability

Business observability memantau facts dan invariants domain.

Examples:

  • Quote state age;
  • approval wait time;
  • acceptance-to-order latency;
  • Product activation-to-billing lag;
  • reconciliation mismatch count;
  • and manual recovery rate.

7. Technical Observability

Technical observability covers:

  • application latency;
  • throughput;
  • errors;
  • saturation;
  • logs;
  • traces;
  • queues;
  • database;
  • and infrastructure.

8. Combined View

Business and technical signals must correlate.

Example:

Order backlog rose because supplier API latency exceeded timeout,
which created UNKNOWN attempts and blocked dependency barriers.

9. Operational Question First

Before selecting tools, list questions support must answer.


10. Core Quote Question

Why can this Quote not be submitted, approved, presented, or accepted?

11. Core Order Question

Why is this Product Order or Item not progressing?

12. Core Inventory Question

What Product actually exists, and which Order created or changed it?

13. Core Billing Question

Why is this Product not billed, or why is this charge still active?

14. Core Recovery Question

What is the safest next command, and what evidence is required?

15. Golden Signals

Technical golden signals commonly include:

  • latency;
  • traffic;
  • errors;
  • saturation.

16. Domain Golden Signals

Useful domain signals include:

  • lifecycle throughput;
  • state age;
  • failure/fallout rate;
  • business lag;
  • duplicate rate;
  • mismatch rate;
  • and recovery time.

17. RED Method

For request-driven services:

  • Rate;
  • Errors;
  • Duration.

18. USE Method

For resources:

  • Utilization;
  • Saturation;
  • Errors.

19. Domain RED

For a business command:

  • command rate;
  • rejected/failed/unknown rate;
  • completion duration.

20. Lifecycle Funnel

Example:

Quote Created
-> Submitted
-> Approved
-> Presented
-> Accepted
-> Product Order Created
-> Product Activated
-> Billing Activated

21. Funnel Conversion

Measure transition success from one stage to next.


22. Funnel Drop-Off

Drop-off may reveal:

  • validation failure;
  • approval delay;
  • customer abandonment;
  • integration failure;
  • or missing event.

23. Funnel Cohort

Segment by:

  • tenant;
  • market;
  • product;
  • channel;
  • value;
  • and software version.

24. Business Latency

Time between meaningful lifecycle facts.


25. Quote Creation-to-Submission

Measures configuration/sales-cycle process behavior.


26. Submission-to-Approval

Approval wait and processing time.


27. Approval-to-Presentation

Proposal/rendering and channel delay.


28. Acceptance-to-Order

Quote-to-Order transformation latency.


29. Order-to-Activation

Fulfillment lead time.


30. Activation-to-Billing

Revenue-leakage-sensitive lag.


31. Time Categories

For long-running flow, separate:

  • active processing;
  • waiting for dependency;
  • waiting for customer;
  • waiting for approval;
  • retry delay;
  • and manual queue time.

32. State Age

Current time minus time entered current state.


33. State Entry Time

Must be recorded explicitly.


34. State Age Threshold

Threshold should depend on:

  • state;
  • product;
  • priority;
  • tenant tier;
  • and SLA.

35. Stuck versus Slow

A slow process may still progress.

A stuck process has no valid progression or expected action.


36. Expected Next Action

Every non-terminal lifecycle should expose:

  • expected event/command;
  • responsible owner;
  • timer/deadline;
  • and dependency.

37. Progress Marker

Examples:

  • last completed node;
  • last aggregate version;
  • last received event;
  • last retry;
  • and last reconciliation.

38. Heartbeat

Useful for long-running external work, but heartbeat absence does not prove business failure.


39. Milestone Observability

Track achieved and missing milestones.


40. Barrier Observability

A barrier should show:

  • required predecessors;
  • satisfied inputs;
  • missing inputs;
  • timeout;
  • and release policy.

41. Dependency Observability

Explain blocked node path.


42. Why-Is-It-Waiting View

Example:

Order Item OI-45 is waiting on INSTALLATION_READY.
INSTALLATION_READY requires:
- Capacity reservation: complete
- Router delivery: complete
- Site access confirmation: missing
Owner: Customer Operations
Due: 2026-07-12 10:00 Asia/Jakarta

43. Reason Code

Stable machine-readable classification.


44. Reason Message

Human-readable explanation.


45. Reason Detail

Structured context:

  • failed rule;
  • field;
  • dependency;
  • downstream code;
  • and evidence reference.

46. Reason Taxonomy

Should cover:

  • validation;
  • authorization;
  • business conflict;
  • dependency;
  • technical;
  • timeout;
  • unknown outcome;
  • external rejection;
  • and data mismatch.

47. Reason Ownership

Each reason code has owning context/team.


48. Reason Actionability

Reason should suggest:

  • retry;
  • correct data;
  • request approval;
  • reconcile;
  • replan;
  • contact customer;
  • or manual review.

49. Generic Error Smell

PROCESSING_FAILED

is insufficient without structured cause.


50. Correlation Identity

Correlation connects related operations across contexts.


51. Primary Business Correlations

Examples:

  • Quote ID;
  • Quote Revision;
  • Offer/Proposal ID;
  • Acceptance ID;
  • Agreement ID;
  • Product Order ID;
  • Order Item ID;
  • Fulfillment Plan ID;
  • Product ID;
  • Billing Charge ID;
  • and Fallout ID.

52. Technical Correlations

Examples:

  • trace ID;
  • span ID;
  • request ID;
  • command ID;
  • operation ID;
  • event ID;
  • attempt ID;
  • and idempotency key reference.

53. Correlation versus Identity

Correlation groups related work.

It does not replace stable resource identity.


54. Causation

Links one command/event to the next effect.


55. Correlation Propagation

Propagate through:

  • HTTP headers;
  • message envelopes;
  • workflow context;
  • logs;
  • and audit.

56. Correlation Loss

Common at:

  • async boundaries;
  • retries;
  • batch fan-out;
  • external callbacks;
  • and manual recovery.

57. Correlation Restoration

Use stable business keys to reattach external callback or existing effect.


58. Correlation Cardinality

Avoid putting raw high-cardinality IDs on every metrics series.

Use logs/traces for individual IDs.


59. Trace

A distributed trace represents one causal operation path.


60. Span

One unit of work within trace.


61. Span Attributes

Possible:

  • context;
  • command;
  • resource type;
  • tenant cohort;
  • result;
  • downstream;
  • and retry attempt.

62. Sensitive Span Data

Do not include:

  • full proposal;
  • PII;
  • cost;
  • secrets;
  • and raw tokens.

Messages may use trace links rather than direct parent-child when processing is delayed/fan-out.


64. Long-Running Trace

One trace over days may be impractical.

Use business correlation plus per-operation traces.


65. Trace Sampling

Use:

  • head sampling;
  • tail sampling;
  • error sampling;
  • high-value transaction sampling;
  • and tenant-aware controlled sampling.

66. Tail Sampling

Keeps traces based on final outcome/latency.


67. Sampling Risk

Rare critical business failures may be missed.


68. Trace Retention

Different from audit retention.


69. Log

Structured diagnostic record.


70. Structured Logging

Prefer fields over concatenated strings.


71. Log Fields

Representative:

timestamp
level
service
context
tenantCohort
operation
resourceType
resourceId
version
correlationId
causationId
attemptId
reasonCode
outcome

72. Log Level

  • DEBUG;
  • INFO;
  • WARN;
  • ERROR.

Use consistently.


73. Error Log

One failure should not generate dozens of duplicate ERROR logs across layers.


74. Error Ownership

Log ERROR at layer that owns action/remediation.

Lower layers can add context at lower severity.


75. Stack Trace

Useful for unexpected code failure, not every domain rejection.


76. Domain Rejection Log

Structured INFO/WARN depending significance.


77. Log Redaction

Protect sensitive fields.


78. Log Injection

Sanitize untrusted text/newlines.


79. Log Volume

High-volume item processing can overload logging.


80. Dynamic Logging

Temporary scoped increase for:

  • tenant;
  • Order;
  • service;
  • or correlation.

Must expire automatically.


81. Debug Session

Case-linked, authorized, time-limited.


82. Audit Query

Operational support may need read-only audit timeline.


83. Audit versus Log Timeline

Audit proves actions; logs explain implementation symptoms.


84. Unified Timeline

A support view can combine:

  • domain transitions;
  • events;
  • commands;
  • attempts;
  • audit;
  • and alerts.

Each item retains source authority.


85. Metrics

Numeric time-series signals.


86. Counter

Monotonic count of events.


87. Gauge

Current value such as queue depth.


88. Histogram

Distribution for latency/size.


89. Summary

Client-side quantiles; often less aggregatable.


90. Percentiles

Use p50, p90, p95, p99 based on use case.


91. Average Trap

Average hides long-tail latency.


92. Cardinality

Metrics dimensions must be bounded.


93. High-Cardinality Labels

Avoid:

  • Quote ID;
  • Order ID;
  • customer name;
  • raw error message.

94. Useful Metric Dimensions

Controlled dimensions:

  • context;
  • operation;
  • state;
  • reason class;
  • product family;
  • market;
  • tenant tier;
  • and version.

95. Exemplars

Link a metric sample to trace without high-cardinality label.


96. SLI

Service Level Indicator measures service behavior.


97. SLO

Target for SLI over window.


98. SLA

External/contractual commitment.


99. Error Budget

Allowed unreliability under SLO.


100. Technical SLI

Examples:

  • API availability;
  • command latency;
  • event lag;
  • database saturation.

101. Business SLI

Examples:

  • accepted-to-order success;
  • Product activation success;
  • Billing activation lag;
  • reconciliation closure time.

102. Correctness SLI

Examples:

  • duplicate Order rate;
  • invalid transition rate;
  • missing lineage;
  • and mismatch rate.

103. Timeliness SLI

Examples:

  • state progression within target;
  • approval within target;
  • and event projection freshness.

104. Completeness SLI

Examples:

  • every accepted item has transformation outcome;
  • every completed ADD has Product outcome;
  • every active billable Product has charge.

105. SLO Scope

Define by:

  • operation;
  • tenant tier;
  • market;
  • product class;
  • and maintenance exclusions.

106. Availability SLO Risk

A service may return 200 while business result is invalid.


107. Semantic Availability

Operation is available only if it can produce correct governed outcome.


108. Dependency SLO

External dependencies should have:

  • availability;
  • latency;
  • timeout;
  • and error contract.

109. Composite SLO

End-to-end lifecycle depends on multiple components.


110. Error Budget Policy

Can influence:

  • feature rollout;
  • reliability work;
  • and incident response.

111. Alert

Notification that action may be required.


112. Symptom-Based Alert

Alert on customer/business impact.


113. Cause-Based Alert

Alert on suspected technical cause.


114. Symptom First

Prefer alerts like:

Acceptance-to-Order completion below target

over only:

CPU > 80%

115. Alert Actionability

Every alert should have:

  • owner;
  • severity;
  • runbook;
  • context;
  • and expected action.

116. Alert Fatigue

Too many noisy alerts reduce response quality.


117. Alert Deduplication

Group related symptoms.


118. Alert Suppression

During known maintenance or parent incident, with controls.


119. Multi-Window Burn Rate

Detect fast and slow SLO consumption.


120. State-Age Alert

Example:

APPROVAL_PENDING > threshold

121. Queue-Age Alert

Oldest item is often more informative than queue size.


122. Unknown-Outcome Alert

High risk because retry/compensation is blocked.


123. Duplicate Alert

Examples:

  • duplicate Acceptance;
  • Product Order;
  • Inventory Product;
  • Billing Charge.

124. Reconciliation Alert

Mismatch count/age exceeds target.


125. Outbox Alert

Outbox oldest unpublished record age.


126. Consumer Lag Alert

Use business impact and partition-specific context.


127. DLQ Alert

Every new critical DLQ record must have ownership.


128. Reservation Leak Alert

Expired/ownerless reservations.


129. Timer Alert

Durable timer missing, overdue, or duplicated.


130. Workflow Stuck Alert

No progress marker within expected window.


131. Data Quality Alert

Impossible state or broken lineage.


132. Tenant-Specific Alert

Large tenant may need dedicated threshold and routing.


133. Release Regression Alert

Compare version/cohort.


134. Alert Context

Include:

  • service/context;
  • affected operation;
  • reason;
  • start time;
  • affected cohort;
  • relevant dashboard;
  • and runbook.

135. Dashboard

A dashboard should answer a defined operational question.


136. Executive Dashboard

Shows:

  • lifecycle throughput;
  • conversion;
  • lead time;
  • correctness;
  • and customer impact.

137. Product Operations Dashboard

Shows state funnels, backlog, fallout, and SLA.


138. Engineering Dashboard

Shows latency, errors, saturation, event lag, and DB/queue health.


139. Support Dashboard

Searches and explains individual transaction.


140. Reconciliation Dashboard

Shows mismatches by authority, severity, and age.


141. Tenant Health Dashboard

Shows cohort/tenant-specific impact with controlled access.


142. Release Dashboard

Compares old/new version or canary cohort.


143. Quote Dashboard

Useful views:

  • Quotes by state;
  • state age;
  • pricing errors;
  • approval backlog;
  • proposal generation failures;
  • acceptance failures.

144. Order Dashboard

Useful views:

  • Orders by state;
  • Item status;
  • critical path;
  • active attempts;
  • stuck barriers;
  • fallout;
  • cancellation.

145. Inventory Dashboard

Useful views:

  • planned/active/terminating;
  • missing lineage;
  • Product outcome lag;
  • reconciliation mismatch.

146. Billing Dashboard

Useful views:

  • handoff status;
  • active Products without charges;
  • terminated Products with active charges;
  • activation lag;
  • duplicate charges.

147. Dashboard Anti-Pattern

One giant dashboard with hundreds of unrelated panels.


148. Drill-Down

From aggregate metric to:

  • cohort;
  • context;
  • transaction search;
  • and trace/log/audit timeline.

Search by business IDs and external references.


150. Search Inputs

  • Quote number;
  • Acceptance ID;
  • Agreement;
  • Order;
  • Product;
  • supplier reference;
  • Billing Charge;
  • customer/account/site;
  • correlation;
  • and idempotency key reference.

151. Search Authorization

Search must enforce tenant/object/field permissions.


152. Search Freshness

Show projection update time/version.


153. Authoritative Read

Support action guards must query authority, not stale search index.


154. Support Case Context

Attach diagnostic session to support/incident case.


155. Support Timeline

Displays:

  • lifecycle transitions;
  • state age;
  • commands;
  • events;
  • attempts;
  • failures;
  • manual changes;
  • and current blockers.

156. Support Dependency Graph

Visualize active Plan/orchestration graph.


157. Support Diff

Compare:

  • Quote revisions;
  • as-ordered/as-built;
  • expected/actual Billing;
  • and old/new Plan.

158. Support Evidence

Links to immutable:

  • price snapshot;
  • approval;
  • proposal;
  • acceptance;
  • and reconciliation.

159. Support Actions

Only explicit authorized commands.


160. Support Action Preview

Show:

  • preconditions;
  • intended state change;
  • downstream effects;
  • risk;
  • and required approval.

161. Support Action Result

Per-command operation ID, outcome, and reconciliation.


162. Direct Database Access

Should not be standard support workflow.


163. Database Archaeology

Manual joins across tables to infer lifecycle.

Symptoms:

  • no unified identity;
  • no state history;
  • no event timeline;
  • and no support projection.

164. Database Access Exception

If unavoidable:

  • read-only by default;
  • case-linked;
  • JIT;
  • audited;
  • and replaced with product capability backlog.

165. Safe Repair Tooling

Examples:

  • RetryOperation;
  • ReconcileExternalOutcome;
  • RebuildProjection;
  • LinkExistingExternalResource;
  • ReleaseStaleReservation;
  • ReplanAffectedScope;
  • CorrectLineage;
  • and RecordManualCompletion.

166. Unsafe Repair Tooling

Examples:

  • SetAnyStatus;
  • DeleteFailedEvent;
  • IncrementVersion;
  • ClearAllLocks;
  • ExecuteArbitrarySQL.

167. Repair Command Guard

Check:

  • resource version;
  • current state;
  • authority;
  • active attempts;
  • idempotency;
  • and evidence.

168. Repair Command Idempotency

Repeated same command must converge safely.


169. Repair Dry Run

Useful for:

  • bulk reconciliation;
  • data correction;
  • and replan.

170. Bulk Repair

Needs:

  • impact query;
  • canary;
  • per-item result;
  • stop/continue policy;
  • and manifest.

171. Repair Audit

Record before/after, actor, reason, case, and outcome.


172. Repair Reconciliation

After repair, verify all affected authorities/projections.


173. Runbook

Runbook is tested operational procedure.


174. Runbook Contents

  • trigger/alert;
  • impact;
  • diagnosis;
  • safety checks;
  • containment;
  • recovery;
  • validation;
  • escalation;
  • and post-incident follow-up.

175. Runbook Owner

Named team/role.


176. Runbook Version

Track version and last tested date.


177. Runbook Preconditions

Required access, tools, and evidence.


178. Runbook Decision Tree

Branch by observed facts.


179. Runbook Automation

Automate deterministic safe steps.


180. Runbook Danger

Blind copy-paste commands can amplify incident.


181. Executable Runbook

Tool-guided workflow with guards and audit.


182. Runbook Test

Use game days or staging simulations.


183. Runbook Drift

Procedure no longer matches current architecture.


184. Operational Readiness Review

Before release verify:

  • metrics;
  • alerts;
  • dashboard;
  • runbook;
  • repair;
  • ownership;
  • capacity;
  • and rollback.

185. Production Readiness Checklist

Should be required for new critical lifecycle.


186. Service Catalog

Inventory of services/contexts and operational metadata.


187. Service Catalog Fields

  • owner;
  • on-call;
  • repository;
  • deployment;
  • dependencies;
  • SLO;
  • dashboard;
  • alerts;
  • runbooks;
  • data stores;
  • and contracts.

188. Dependency Map

Shows runtime dependencies and criticality.


189. Critical Dependency

Failure blocks core business flow.


190. Optional Dependency

Can fail open or degrade.


191. Dependency Failure Policy

Document:

  • timeout;
  • retry;
  • circuit;
  • fallback;
  • and manual process.

192. Failure Mode and Effects Analysis

List failure mode, effect, detection, mitigation, and recovery.


193. Operational Hazard Analysis

Focus on high-impact combinations:

  • timeout + retry;
  • stale cache + acceptance;
  • event gap + Billing;
  • and partial compensation.

194. Game Day

Controlled exercise of operational scenario.


195. Chaos Experiment

Inject technical failure with safety limits.


196. Business Chaos Scenario

Examples:

  • duplicate event;
  • delayed supplier;
  • missing Product activation;
  • stale approval;
  • and Billing mismatch.

197. Abort Condition

Every experiment needs stop criteria.


198. Evidence Capture

Record experiment and observed behavior.


199. Recovery Objective

Define expected recovery time and residual state.


200. Incident

Unplanned interruption, degradation, or correctness risk.


201. Incident Severity

Based on:

  • customer impact;
  • financial impact;
  • tenant count;
  • security/regulatory risk;
  • and duration.

202. Incident Commander

Coordinates response.


203. Technical Lead

Leads diagnosis/recovery.


204. Communications Lead

Coordinates stakeholder/customer updates.


205. Scribe

Maintains timeline and decisions.


206. Incident Timeline

Combine:

  • alert;
  • deployment;
  • state changes;
  • commands;
  • and communications.

207. Containment

Stop additional harm.

Examples:

  • pause consumer;
  • disable mapping;
  • block acceptance;
  • halt Billing;
  • or tenant-scoped kill switch.

208. Mitigation

Restore service or reduce impact.


209. Recovery

Return to safe intended state.


210. Resolution

Incident no longer active, residual tasks remain tracked.


211. Post-Incident Review

Focus on systemic learning, not blame.


212. Root Cause

Underlying condition enabling incident.


213. Trigger

Immediate event exposing condition.


214. Contributing Factors

Multiple system/process weaknesses.


215. Corrective Action

Prevents recurrence or improves detection/recovery.


216. Action Owner and Due Date

Required for follow-through.


217. Recurrence Detection

Track similar reason codes/incidents.


218. Problem Management

Longer-term elimination of recurring incidents.


219. Known Error

Document root cause and safe workaround.


220. Error Budget Review

Reliability work may be prioritized when budget exhausted.


221. On-Call Model

Define:

  • primary;
  • secondary;
  • escalation;
  • business/domain expert;
  • and vendor contact.

222. Follow-the-Sun

Can reduce response time but needs clean handoff.


223. On-Call Handoff

Include active incidents, risky changes, and backlog.


224. On-Call Load

Measure pages, interruptions, and after-hours burden.


225. Page Quality

Actionable pages, low noise.


226. Operational Toil

Manual repetitive work with low enduring value.


227. Toil Examples

  • manual retry;
  • SQL status repair;
  • copying IDs;
  • and daily mismatch spreadsheet.

228. Toil Reduction

Automate with guarded product capabilities.


229. Supportability Backlog

Track missing:

  • correlation;
  • diagnostics;
  • reason codes;
  • repair commands;
  • and runbooks.

230. Operational Ownership

Team owns production behavior, not only code delivery.


231. Operational Capability Boundary

Some shared capabilities may be platform-provided:

  • telemetry;
  • alerting;
  • tracing;
  • incident tooling;
  • and audit transport.

Domain team owns business signals and runbooks.


232. Environment Parity

Staging should reproduce important operational behavior.


233. Synthetic Transaction

Continuously tests critical flow.


234. Synthetic Quote Flow

Create/configure/price/test Quote using non-production tenant/data.


235. Synthetic Order Flow

Exercise transformation and controlled downstream test doubles.


236. Synthetic Safety

Must not create real customer/Billing effects.


237. Canary

Small production cohort receives new version.


238. Canary Metrics

Compare:

  • latency;
  • errors;
  • business funnel;
  • mismatches;
  • and support signals.

239. Dark Launch

New code runs without affecting result.


240. Shadow Traffic

Replay/duplicate requests to new path with protected side effects.


241. Release Annotation

Dashboards mark deploy/config/rule changes.


242. Change Correlation

Link incident to:

  • app version;
  • schema;
  • config;
  • rule;
  • workflow;
  • and extension version.

243. Config Observability

Show active configuration epoch/version.


244. Rule Observability

Show rule/version and evaluation outcome.


245. Workflow Observability

Show workflow definition version per instance.


246. Mapping Observability

Show mapping version for transformation/handoff.


247. Dependency Version

Show external API/connector version.


248. Data Quality Observability

Track:

  • missing identifiers;
  • invalid relationships;
  • duplicate outcomes;
  • and authority mismatch.

249. Reconciliation as Observability

Reconciliation detects silent correctness failures that metrics/logs may miss.


250. Reconciliation Coverage

List each critical cross-context invariant and corresponding job/check.


251. Reconciliation Ownership

Every mismatch type needs owner and repair path.


252. Reconciliation Freshness

When was last successful check?


253. Reconciliation Blind Spot

No comparison exists for a critical boundary.


254. Operational Data Model

Support projection should represent:

  • lifecycle;
  • current state;
  • blockers;
  • attempts;
  • dependencies;
  • evidence;
  • and safe actions.

255. Operational Projection

May combine multiple contexts but is not authoritative for mutation.


256. Projection Rebuild

Safe and automated.


257. Projection Consistency

Expose source versions and freshness.


258. Operational Search Index

Optimized for support queries.


259. Search Reconciliation

Detect missing/outdated indexed resources.


260. Support Tool Security

Tenant, object, and field authorization remain mandatory.


261. Support Tool Availability

During incident, support tool should not depend entirely on failed service path.


262. Break-Glass Diagnostic Read

Controlled path for critical diagnosis.


263. Sensitive Diagnostic Data

Mask cost, personal data, secrets, and internal topology as appropriate.


264. Customer-Facing Status

External status should be understandable and not expose internals.


265. Internal Status

More detailed reason, owner, and dependency.


266. Status Consistency

Customer portal, support, and operational system should map from authoritative lifecycle.


267. Communication Trigger

Operational incident may require customer notification task.


268. ETA Risk

Avoid giving unsupported completion ETA from raw average.


269. Confidence

If showing forecast, expose confidence/range and assumptions.


270. Operational Analytics

Use historical data for:

  • bottleneck;
  • fallout;
  • lead time;
  • capacity;
  • and reliability improvement.

271. Cohort Analysis

Compare product, tenant tier, market, channel, and release.


272. Long-Tail Analysis

Inspect p99 and worst-case transactions.


273. State Transition Analysis

Find repeated loops and abnormal transitions.


274. Retry Analysis

Identify dependency and error classes causing retries.


275. Manual Recovery Analysis

Frequent manual commands indicate design gaps.


276. Support Case Linkage

Link product telemetry with support ticket category and resolution.


277. Privacy in Analytics

Use minimal/pseudonymized data and controlled access.


278. Cost Observability

Track telemetry/storage/query cost.


279. Log Cost

Avoid unlimited verbose logging.


280. Trace Cost

Sampling and retention policy.


281. Metrics Cost

Cardinality governance.


282. Operational Retention

Different signals need different retention.


283. Hot Storage

Recent searchable data.


284. Cold Archive

Longer-term compressed evidence/analytics.


285. Retention by Purpose

  • incident;
  • trend;
  • audit;
  • capacity;
  • and legal.

286. Observability Failure

Telemetry pipeline can fail.


287. Telemetry Backpressure

Should not crash business service.


288. Critical Audit Difference

Mandatory audit may fail closed or use durable buffer.


289. Metrics Loss

Can create monitoring blind spot.


290. Health Check

Technical process health.


291. Liveness Probe

Can process continue/restart decision.


292. Readiness Probe

Can receive traffic safely.


293. Dependency Health

Do not make readiness fail for every optional dependency.


294. Business Readiness

A service may be technically ready but unable to execute required business operation due to missing config/mapping.


295. Startup Validation

Verify:

  • config;
  • schema;
  • secret;
  • topic;
  • and critical dependency compatibility.

296. Graceful Degradation

Optional features fail without corrupting core flow.


297. Graceful Shutdown

Stop accepting work, finish/hand off, commit offsets safely.


298. Draining

Long-running workers stop claiming new tasks.


299. Pod Restart Safety

Durable workflow and idempotency allow recovery.


300. Operational Invariants

Representative invariants:

  • every non-terminal lifecycle exposes state age and expected next action;
  • every external effect has correlation and attempt identity;
  • every critical mismatch has reconciliation owner;
  • every repair action is explicit, authorized, idempotent, and audited;
  • support can reconstruct lifecycle without direct database mutation;
  • every actionable alert has owner and tested runbook;
  • and telemetry failures do not silently corrupt business state.

301. Observability Smells

  • only infrastructure metrics;
  • no business funnel;
  • no state age;
  • and no reason taxonomy.

302. Logging Smells

  • raw payload logging;
  • duplicate stack traces;
  • IDs only in free text;
  • and dynamic debug never expires.

303. Tracing Smells

  • trace stops at Kafka;
  • one trace expected to live for weeks;
  • and no business ID search.

304. Alerting Smells

  • CPU alerts without customer symptom;
  • no runbook;
  • static threshold for all states;
  • and DLQ ignored.

305. Dashboard Smells

  • dashboard as wall decoration;
  • no drill-down;
  • stale projection not shown;
  • and mixed tenant visibility.

306. Support Smells

  • direct SQL;
  • “set status” button;
  • no preview;
  • and no reconciliation after repair.

307. Runbook Smells

  • copy-paste shell commands;
  • no owner;
  • not tested;
  • and references retired services.

308. Operational Model Smells

  • nobody owns cross-context lifecycle;
  • incident handoff between teams loops;
  • and on-call sees only technical service names.

309. Anti-Patterns

Metrics without Business Meaning

System appears healthy while orders are stuck.

Correlation by Timestamp

Ambiguous and unreliable.

Logs as State Store

History is incomplete and retention-dependent.

Alert Everything

Operators ignore pages.

Dashboard without Action

No diagnosis or recovery path.

Support SQL as Product Feature

Authority, audit, and invariants are bypassed.

Retry Button for UNKNOWN

Duplicate effects occur.

Runbook Never Exercised

Fails during incident.


310. Operational Question Template

## Question

## Authoritative Facts Required

## Correlation IDs

## Metrics / Logs / Traces / Audit

## Expected Normal State

## Failure Classifications

## Safe Actions

## Owner / Escalation

## Runbook

311. Business SLI Template

SLI:
Business scope:
Numerator:
Denominator:
Window:
Dimensions:
Exclusions:
Target:
Alert:
Owner:

312. Alert Template

Alert:
Customer/business symptom:
Condition:
Window:
Severity:
Affected cohort:
Owner:
Dashboard:
Runbook:
Automatic containment:

313. Support Timeline Template

Resource:
Current state/version:
State entered:
Expected next action:
Owner:
Dependencies/barriers:
Commands:
Events:
Attempts:
Reason codes:
Audit/evidence:
Safe actions:

314. Runbook Template

## Trigger / Alert

## Customer and Business Impact

## Preconditions / Access

## Diagnosis

## Authority and Safety Checks

## Containment

## Recovery Commands

## Reconciliation / Validation

## Escalation

## Communication

## Rollback / Residual Risk

## Post-Incident Actions

## Last Tested / Owner

315. Repair Command Template

Command:
Resource/version:
Case/incident:
Reason:
Preconditions:
Preview:
Idempotency:
Expected effects:
Authorization:
Audit:
Post-reconciliation:

316. Reconciliation Coverage Template

InvariantAuthority AAuthority BWindowDetectorOwnerRepair
Active Product has chargeInventoryBilling15 minscheduled/eventBilling OpsActivate/link/correct
Accepted item has Order outcomeAcceptanceProduct Order5 minprocess sweepOrder OpsRetry/reconcile
Completed ADD has ProductOrderInventory10 mincompletion barrierInventory OpsLink/create after evidence

317. Operational Readiness Template

## Ownership / On-Call

## SLIs / SLOs / Error Budget

## Metrics / Logs / Traces / Audit

## Dashboards

## Alerts

## Business Correlation

## State-Age / Stuck Detection

## Reconciliation

## Repair Commands

## Runbooks / Game Days

## Capacity / Degradation

## Security / Support Access

## Release / Rollback

318. Worked Example: Quote Approval Stuck

Dashboard shows:

  • Quote APPROVAL_PENDING for 18 hours;
  • one required approver group unresolved;
  • policy version;
  • assignment rule;
  • owner queue;
  • no technical errors.

Safe action:

  • resolve assignment or escalate, not set Quote approved.

319. Worked Example: Acceptance without Order

Acceptance exists and event published.

Quote-to-Order process state is CREATING_ORDERS.

Downstream lookup finds one Order created after timeout.

Repair links existing Order and continues reconciliation.


320. Worked Example: Stuck Barrier

Order Item waits on installation barrier.

Support graph shows router shipment completed, capacity reserved, site access missing.

Customer Operations owns next action.


321. Worked Example: Duplicate Billing Risk

Billing activation operation timed out.

Support view shows state UNKNOWN and scheduled retry blocked.

Lookup by accepted charge ID finds active Billing Charge.

Reconciliation marks success and cancels retry.


322. Worked Example: Active Product Unbilled

Inventory activation occurred 40 minutes ago.

Billing SLO is 15 minutes.

Reconciliation opens high-priority case and estimates revenue leakage.


323. Worked Example: Stale Projection

Search says Order is IN_PROGRESS.

Authoritative Order version shows COMPLETED.

Support UI displays projection freshness and provides rebuild command.


324. Worked Example: Release Regression

Canary version shows 4× pricing p99 and increased timeout rate only for large bundles.

Release dashboard triggers rollback before broad rollout.


325. Worked Example: Tenant-Specific Incident

One tenant connector returns malformed callbacks.

Tenant-scoped kill switch and queue isolation protect other tenants.


326. Worked Example: Outbox Backlog

Oldest outbox record age exceeds target.

Business funnel shows Product activation events not reaching Billing.

Incident focuses on publisher rather than Billing first.


327. Worked Example: DLQ Poison Event

A new enum breaks one consumer.

DLQ entry is owned, correlated to event/schema version, and repaired using compatible consumer/upcaster.


328. Worked Example: Direct SQL Toil

Support manually updates 20 Order statuses each week.

Analysis creates explicit ReconcileOrderItemOutcome command and removes recurring SQL procedure.


329. Worked Example: Game Day

Team injects delayed supplier response and duplicate callback.

Expected behavior:

  • UNKNOWN state;
  • no blind retry;
  • reconciliation;
  • idempotent completion;
  • and runbook execution.

330. Worked Example: Audit Pipeline Failure

Mandatory approval audit buffer reaches capacity.

High-risk approval actions fail closed while read-only operations remain available.

Alert and runbook guide recovery.


331. Worked Example: Large Multi-Site Order

Support dashboard summarizes 10,000 items by wave/site state and drills into one failed branch without loading entire graph.


332. Worked Example: Customer Status

Customer portal shows:

Installation scheduling requires customer site-access confirmation.

Internal view additionally shows barrier IDs, owner queue, attempts, and rule versions.


333. Senior Engineer Operating Model

Start with operational questions

Not telemetry products.

Instrument domain state and invariants

State age, expected next action, and reason codes.

Preserve correlation across async boundaries

Business and technical identities.

Design support views as product capabilities

Not database access.

Alert on symptoms and business risk

Then attach technical causes.

Make repairs explicit and safe

Guarded, idempotent, audited, reconciled.

Test runbooks and failure modes

Game days and chaos scenarios.

Measure operational toil

Convert recurring manual work into capability.

Correlate releases, config, rules, and incidents

Version is part of diagnosis.


334. Internal Verification Checklist

Lifecycle visibility

  • Bisakah support menelusuri Quote-to-Order tanpa direct database access?
  • Are current state, state entry time, expected next action, and owner visible?
  • Can one view show Quote, Acceptance, Agreement, Orders, Products, and Billing lineage?
  • Are partial outcomes and residual scope visible?

Correlation

  • Bagaimana correlation identity dipertahankan lintas service dan events?
  • Are command, event, operation, attempt, trace, and business IDs linked?
  • Can external callbacks be reattached by stable business key?
  • Can support search by all important internal/external IDs?

Metrics and alerts

  • Apa alert untuk stuck Quote/Order, duplicate, atau reconciliation mismatch?
  • Are business funnels and end-to-end lags measured?
  • Are state-age thresholds state/product/tier aware?
  • Are outbox, consumer lag, DLQ, unknown outcomes, and reservation leaks monitored?

Diagnostics

  • Are reason codes stable, actionable, and owned?
  • Can support see dependency/barrier explanations?
  • Are logs structured and sensitive data redacted?
  • Are trace gaps across async boundaries handled?

Reconciliation

  • Which critical cross-context invariants have reconciliation?
  • Are mismatch windows, owners, and repair commands explicit?
  • Is reconciliation freshness visible?
  • Can silent data-quality failures be detected?

Support tooling

  • Are repair actions explicit domain commands?
  • Do they support preview, expected version, idempotency, authorization, and audit?
  • Are bulk corrections canaried and per-item?
  • Is direct database mutation exceptional and tracked as product debt?

Runbooks and operations

  • Runbook dan repair tools apa yang benar-benar diuji?
  • Does every actionable alert link to a current runbook?
  • Are game days/chaos scenarios performed?
  • Are on-call ownership and escalation clear?

Release readiness

  • Are dashboards/alerts annotated by application, config, rule, workflow, and mapping versions?
  • Can canary cohorts be compared?
  • Are business correctness signals part of release gates?
  • Can telemetry/audit pipeline failures degrade safely?

335. Practical Exercises

Exercise 1 — Operational questions

Write 50 support questions and map required signals/authorities.

Exercise 2 — Business SLOs

Define SLOs for acceptance-to-order, order-to-activation, and activation-to-billing.

Exercise 3 — Support timeline

Design a unified timeline for one failed multi-site Order.

Exercise 4 — Alert review

Replace noisy infrastructure alerts with actionable business symptoms.

Exercise 5 — Repair catalog

Convert common SQL procedures into guarded domain commands.

Exercise 6 — Game day

Inject timeout, duplicate callback, event gap, projection lag, and Billing mismatch.


336. Part Completion Checklist

You are done if you can:

  • distinguish monitoring, observability, supportability, and audit;
  • define domain/business golden signals;
  • measure lifecycle state age and business lag;
  • propagate correlation across HTTP, events, workflows, and external callbacks;
  • design structured logs, traces, metrics, and dashboards;
  • detect stuck processes, duplicate effects, and reconciliation mismatches;
  • provide secure support search and unified lifecycle timeline;
  • replace database archaeology with safe repair commands;
  • create tested runbooks and operational readiness reviews;
  • and create an internal observability/supportability verification backlog.

337. Key Takeaways

  1. Infrastructure health does not guarantee business correctness.
  2. Observability should start from operational questions and invariants.
  3. State age and expected next action make long-running flows diagnosable.
  4. Business and technical correlation IDs must coexist.
  5. Reconciliation is a core observability mechanism.
  6. Alerts must be actionable and linked to tested runbooks.
  7. Support tooling should expose safe domain commands, not arbitrary status edits.
  8. Release/config/rule versions belong in operational diagnosis.
  9. Repeated manual recovery is measurable product debt.
  10. Internal CSG observability, support, and runbooks must be verified.

338. References

Conceptual baseline:

  • Monitoring and observability practices using metrics, structured logs, distributed traces, exemplars, RED, USE, SLIs, SLOs, error budgets, and burn-rate alerting.
  • Domain/business observability, state-age monitoring, reason taxonomies, correlation, long-running workflow diagnostics, and reconciliation.
  • Incident management, operational readiness reviews, runbooks, game days, chaos engineering, post-incident reviews, and toil reduction.
  • Secure support tooling, privileged diagnostics, explicit repair commands, audit trails, and tenant-aware operational projections.
  • Distributed systems outbox/inbox, event lag, ambiguous outcomes, idempotency, and recovery.

These references do not define internal CSG monitoring platforms, alert thresholds, support tooling, on-call model, or operational targets.

Lesson Recap

You just completed lesson 47 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.