Read logs for five minutes before proposing theories during incidents
Before acting on snap judgments during debugging or incident response, read system logs and dashboards for five minutes without proposing theories to prevent hypothesis anchoring from corrupting observation.
Why This Is a Rule
The moment someone says "I bet it's the database" during an outage, every subsequent observation gets filtered through that hypothesis. Log entries that confirm the database theory get noticed. Log entries pointing to the actual cause — a network partition, a memory leak, a configuration change — get skimmed or ignored. This is anchoring bias applied to incident response, and it routinely doubles or triples mean time to resolution.
The five-minute observation window prevents this. You read logs, dashboards, and error streams without proposing any theory. You're not looking for evidence of anything — you're absorbing the state of the system as it actually is. Theories formed after five minutes of pure observation are grounded in data. Theories formed in the first 30 seconds are grounded in whatever the loudest symptom reminded you of.
When This Fires
- Production incident: alarms are firing and people are assembling in a war room
- Debugging session: a bug report just landed and you have an immediate gut feeling about the cause
- Performance investigation: metrics dropped and the first chart you see suggests an obvious culprit
- Any situation where time pressure creates urgency to "just fix it"
Common Failure Mode
Treating the five-minute observation window as wasted time during an outage. The pressure to act feels overwhelming — users are affected, leadership is asking for updates, and you're "just sitting there reading logs." But the five minutes you spend observing now save the thirty minutes you'd spend chasing a wrong hypothesis, reverting a bad fix, and starting over from scratch.
The Protocol
When an incident begins: (1) Open logs, dashboards, and monitoring. (2) Set a literal 5-minute timer. (3) Read without talking, without hypothesizing, without typing commands. (4) After the timer, write down the three most surprising things you observed. Those surprises — the things that don't match your initial assumption — are almost always closer to the root cause than your first instinct was.