Identify

A log line, a batch of events, or a pattern name in hand. Resolves it to a known pattern, locates it, and surfaces its history.

"resolve this — PaymentGateway request timed out after 30000ms"

Matches Payment_Gateway_Timeout. $4.2K/wk in payments-svc, ERROR severity, first seen 14 days ago.

"when did it start spiking?"

$200/wk → $4.2K/wk over 14 days. Sharp spike on day 10 (8× baseline).

"safe to drop?"

Check dependencies first → Drop.

You ask	Example answer
resolve this log line: `PaymentGateway request timed out after 30000ms`	Matches `Payment_Gateway_Timeout`. $4.2K/wk in payments-svc, ERROR severity, first seen 14 days ago. Suggested action: cap with the Reducer.
triage this Slack dump	127 events → 9 patterns. Top 3: `Payment_Gateway_Timeout` (45 events, ERROR) · `GetCartAsync called with userId` (30) · `AddItemAsync` (20). Affects 4 tenants.
when did `Payment_Gateway_Timeout` start spiking?	`Payment_Gateway_Timeout`: $200/wk → $4.2K/wk over 14 days. Sharp spike on day 10 (8× baseline).
what's in `/tmp/incident.log`?	1,403 events, 27 patterns. Top: `Payment_Gateway_Timeout` (412 events) · `GetCartAsync` (218) · `Retry_Exhausted` (174).

Prerequisites

Identify and Trend require the Reporter deployed. Triage and Extract templates work without it — both run a local pipeline; events stay on the machine.