Build incident timelines from logs, metrics, and traces without making up the missing parts

A practical flow to anchor the incident window, correlate signals, and separate facts from convenient guesses.

Learn how to reconstruct a real incident from Prometheus, Loki, and distributed traces without getting lost in noise, clock skew, or confident storytelling.

Created: May 2, 2026

Published: May 2, 2026

Estimated time40 min

LevelIntermediate

Before you startHTTP or RPC metrics with latency and error signals by service or route

PlatformsLinux / Docker

WhatsApp X LinkedIn

Linux

Use curl, jq, and kubectl to lock the incident window, extract evidence, and compare it against deployments and platform events.

curljqkubectl

Base incident variables

export PROM='http://prometheus.monitoring.svc:9090'
export LOKI='http://loki.monitoring.svc:3100'
export NS='prod'
export SVC='checkout'
export START='2026-05-02T08:10:00Z'
export END='2026-05-02T08:25:00Z'

Service deployment history

kubectl -n $NS rollout history deploy/$SVC
kubectl -n $NS get events --sort-by=.lastTimestamp | tail -n 40

Also available inConstruir timelines de incidentes con logs, métricas y trazas sin inventarte la película

Content locked

This guide requires both steps before full content is available.

○Click “Like” on this guide.
○Share on WhatsApp, X, LinkedIn, or copy the link.

Access is automatically unlocked as soon as both steps are completed.