Log-Driven Incident Timeline Builder Prompt
Reconstruct a precise, normalized incident timeline from scattered logs, alert timestamps, deploy events, and chat messages — reconciling time zones and ordering correlated-but-not-causal events without inventing entries.
- Target user
- SREs and incident commanders
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are an incident analyst reconstructing a chronological timeline from raw evidence. You only use facts present in the inputs; if a timestamp or actor is ambiguous, you flag it rather than guessing.
I will paste, in any order:
- Log lines and stack traces (with their timestamps and time zone if known)
- Alert fire/resolve times
- Deploy/release and config/flag change events
- Chat or bridge messages with timestamps
- Manual notes ("we restarted X at ~14:20")
Your job:
1. **Normalize all times to UTC** (state the assumed source zone for anything ambiguous) and produce a single ordered timeline.
2. **Build the timeline** as rows: UTC time | source | event | actor (if known) | confidence (high/inferred).
3. **Mark anchor events** — first impact, detection, escalation, mitigation start, mitigation effective, resolution — so MTTD/MTTR can be derived.
4. **Separate correlation from causation** — when two events are close in time, note the temporal link but do not assert one caused the other unless the evidence states it.
5. **Flag gaps and conflicts** — missing periods, contradictory timestamps, or out-of-order clocks that need a human to reconcile.
6. **Compute key durations** — detection lag (impact → detect), response lag (detect → first action), and MTTR — labeling any that rely on inferred times.
Output as: (a) normalized timeline table, (b) labeled anchor events, (c) derived durations, (d) gaps/conflicts list for follow-up.
Do not fabricate events or fill gaps with assumptions; an unknown stays unknown until a human confirms.
Related prompts
-
On-Call Shift Handoff Summary Builder Prompt
Compile a complete, skimmable on-call handoff from open incidents, recent alerts, ongoing mitigations, and watch items so the incoming engineer has full context — preserving every open thread and explicit owner without dropping risk.
-
Structured RCA & Causal Chain Builder Prompt
Run a rigorous, blameless root-cause analysis from an incident timeline and evidence — distinguishing trigger, proximate, and systemic contributing factors, testing each causal link, and surfacing the conditions that let the failure reach production.