I Stopped Digging Through Logs

Photo by Trac Vu on Unsplash

I Stopped Digging Through Logs

M. Zakyuddin Munziri

M. Zakyuddin Munziri

@zakiego

For a long time, debugging meant opening logs first. That felt like the right thing to do. Alerts fired, logs were there, so I read them. Over time, I realized most of my energy was not spent fixing bugs. It was spent searching.

So I stopped digging through logs.

Now I start from the error itself, send it to an AI agent that can read our observability database, and let it do the searching. The difference is not subtle. Root cause shows up faster. Fewer dead ends. Less stress.

This is not about magic AI. It is about changing where debugging starts.

The problem logs are fragments not the story

Logs are fragments. A line here. A stack trace there. A timestamp that almost matches another one.

Observability tools give visibility, but they do not give structure by default. Engineers still have to stitch everything together in their heads. That stitching is expensive.

The old flow looked like this:

  • an alert fires
  • open logs
  • search by request id
  • jump between services
  • open code
  • form a hypothesis
  • repeat

Most of the time goes into navigation, not reasoning. Debugging becomes an attention problem.

The shift stop reading start correlating

Instead of starting with logs, I now start with the error.

When an error appears, I send the error payload plus minimal context to an AI assistant. That assistant has read only access to our observability database. Logs, traces, and historical error data are all there.

The job of the AI is simple. Correlate everything that might be related to this error.

My job stays the same. Decide what to do next.

This one change removes a lot of noise. I no longer scroll logs hoping something stands out. I review evidence that is already grouped and connected.

What the AI actually does

There is no magic involved. The steps are mechanical.

First, the AI parses the error payload and extracts key fields like timestamp, service name, error type, and request identifiers.

Next, it queries the observability database for similar errors. Same signature, same service, similar payloads, nearby time windows.

Then it correlates traces across services to see where failures cluster. It looks for repeated paths, not one off noise.

After that, it checks recent deploys or commits that touched the involved code paths.

The output is a short report with evidence. Traces that repeat. Logs that line up. Code paths that changed recently.

This does not give me the fix. It gives me the right place to look.

Guardrails access without exposure

This part matters more than the AI itself.

The AI only has read only access. No writes. No mutations. No side effects.

Privacy mode is enabled. Data is not used for training. It is used only for inference in this session.

Access is scoped. Only the fields needed for debugging are exposed. No broad database access. No unnecessary payloads.

Every query and result is auditable.

The goal is not to give AI more power. The goal is to give it enough context to be useful, without creating new risk.

What changed for me

A few things became very obvious after switching workflows.

Time to root cause dropped significantly. We skip the wandering phase.

Pull requests became smaller and more focused. Fixes target the actual problem instead of surrounding guesses.

False investigations went down. Fewer situations where hours are spent only to conclude it was unrelated.

Alerts feel calmer. When something breaks, the first step is structured, not reactive.

What did not change

Engineers still make the decisions.

The AI does not understand product context. It does not know business priorities or rollout strategy.

Judgement is still required. How risky the fix is. Whether to rollback. Whether to hotfix or wait.

AI narrows the search space. Humans still own the outcome.

A workflow you can copy

  1. An alert fires
  2. Capture the error payload and minimal context
  3. Send it to an AI assistant with scoped read only access
  4. Review the evidence it returns
  5. Validate the hypothesis
  6. Implement the fix
  7. Observe

No blind log diving.

Where this could go next

One idea I keep in the back of my head is pushing this workflow one step further.

When an alert fires, an agent could automatically collect the evidence, trace the failure across services, inspect the relevant code paths, and propose a fix.

Not to merge on its own. Just to open a pull request.

The pull request would contain:

  • the suspected root cause
  • the supporting traces and logs
  • the code change
  • the tests that justify the fix

At that point, the engineer is no longer digging or typing by default. The job becomes reviewing, judging risk, and deciding whether the change should ship.

That is a workflow I would actually want to maintain.

Closing why this actually matters

This is not about replacing engineers. It is about removing unnecessary work.

Logs are raw material. They are not the answer. Speed comes from assembling context quickly, not reading faster.

If you run systems at scale and still start debugging by opening logs, try flipping the order. Start with the error. Let machines do the searching. Use your attention where it actually matters.

More Articles

Speed Was Never the Hard Part in CI CD

Speed Was Never the Hard Part in CI CD

Fast pipelines don't eliminate shipping fear. Confidence comes from safe rollbacks, feature flags, and systems that behave predictably when things go wrong.

The Silent Pain of Deploying Applications

The Silent Pain of Deploying Applications

Unvalidated environment variables create failures that arrive late and hurt. Validate at startup or build time, fail fast with clear errors, and treat configuration like critical infrastructure.