Burst vs Baseline Traffic in Observability

Bursts are interesting; baseline is boring. The patterns to detect bursts vs sustained changes.

Burst signature

Traffic spike that returns to baseline within minutes. Often diurnal: morning rush, evening peak.

Burst is normal for many services; alerting on every burst is noise.

Sustained change

Traffic that elevates and stays. Indicates organic growth, marketing event, or attack.

Distinguish from burst by duration. > 1 hour above baseline is sustained.

Alert differently

Burst alerts: only on extreme bursts (5x+ baseline). Sustained-change alerts: 30%+ over baseline for 1 hour.

Different signal, different action. Same alert is wrong for both.