> ## Documentation Index
> Fetch the complete documentation index at: https://docs.budecosystem.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Your First Investigation

> Walk through a practical observability workflow from alert to action

This tutorial shows how to investigate a latency spike and apply a safe mitigation.

## Scenario

You notice degraded response times for one production deployment in the past hour.

```mermaid theme={null}
flowchart LR
    A[Spike Detected] --> B[Metrics Pivot by Deployment]
    B --> C[Filter Requests]
    C --> D[Inspect Slow Requests]
    D --> E[Validate Rule Coverage]
    E --> F[Apply Fix and Recheck]
```

## Step 1: Confirm the Spike

1. Open **Observability → Metrics**.
2. Set time range to **Last 1 hour**.
3. Pivot by **Deployment**.
4. Confirm p95/p99 latency increase.

## Step 2: Isolate Affected Requests

1. Go to **Requests**.
2. Filter to the impacted deployment and same time range.
3. Sort by response time descending.
4. Open the slowest requests.

## Step 3: Inspect Request Detail

Check these fields in detail view:

* Status and error information.
* Input/output token counts.
* Gateway metadata (IP, method, path, user agent, location).
* Raw request/response payloads.

<img src="https://mintcdn.com/budecosystem-b7b14df4/f3zHBsteG-iM711O/images/image-49.png?fit=max&auto=format&n=f3zHBsteG-iM711O&q=85&s=807e7c4adb1e73ccaed7a18c4e54ce62" alt="Image" width="1920" height="3188" data-path="images/image-49.png" />

## Step 4: Correlate with Rules

1. Open **Rules** tab.
2. Filter active rules by relevant type (IP, country, user-agent, rate).
3. Verify whether blocked traffic patterns match expectations.

## Step 5: Apply and Verify

1. Edit or add a rule only if data supports mitigation.
2. Re-check Metrics and Requests for the next 15–30 minutes.
3. Document before/after KPIs in your incident notes.

## Outcome Checklist

<Check>
  Anomaly confirmed with KPI evidence.
</Check>

<Check>
  Request-level root-cause clues captured.
</Check>

<Check>
  Rule change validated against live traffic.
</Check>
