Burst vs Baseline Traffic in Observability

Bursts are interesting; baseline is boring. The patterns to detect bursts vs sustained changes.

Burst signature

Burst and sustained traffic changes look similar at first glance but require different responses. Bursts are normal; sustained changes indicate something new. Treating them with the same alert produces either alert fatigue (burst alerts firing routinely) or missed signals (sustained changes ignored as noise).

What burst signature looks like:

• Traffic spike that returns to baseline within minutes.: A burst is a brief deviation from baseline. The traffic rises, peaks, and returns to baseline. The whole event is typically minutes to tens of minutes.
• Often diurnal.: Most bursts have a daily pattern. Morning commute starts traffic; evening peaks are different from midday; late-night drops are predictable. The diurnal pattern is well-understood.
• Morning rush, evening peak.: Specific hours produce predictable bursts. The bursts are operationally normal; capacity is sized for them; the team does not respond to them.
• Burst is normal for many services.: Customer-facing applications experience daily traffic patterns. The bursts are not incidents; they are the workload.
• Alerting on every burst is noise.: An alert that fires on every daily peak produces thousands of false alarms over a year. The team learns to ignore the alerts; real signals get lost in the noise.

The burst signature is normal traffic behavior. Recognizing it prevents the alerting strategy from over-reacting.

Sustained change

Sustained changes are different. Traffic elevates and stays elevated; the new level becomes the new baseline. The cause is rarely benign; investigation is justified.

• Traffic that elevates and stays.: The sustained change holds the elevated level. Hours later, the traffic is still above the prior baseline. The pattern is qualitatively different from a burst.
• Organic growth.: The customer base is growing; traffic reflects the growth. The sustained change is desirable; capacity planning catches it.
• Marketing event.: A campaign drives traffic. The campaign produces sustained elevated traffic; the team's preparation matters; without preparation, the elevated traffic stresses capacity.
• Or attack.: An attack (DDoS, scraping, fraud) produces sustained elevated traffic. The attack is hostile; the response is different from organic growth or marketing.
• Distinguish from burst by duration.: The duration is the key distinguishing feature. Bursts return to baseline; sustained changes do not. Over 1 hour above baseline is the typical threshold.

Sustained changes warrant investigation. The cause might be desirable, neutral, or hostile; the team determines which.

Alert differently

The alerts for burst and sustained patterns should be different. Same alert for both produces either over-alerting on bursts or under-alerting on sustained changes.

• Burst alerts: only on extreme bursts.: Most bursts are routine; alerts fire only on extreme bursts (5x or more above baseline). The threshold is high enough that routine bursts do not alert; truly unusual bursts do.
• 5x or more above baseline.: The 5x threshold is approximate; the right value depends on the workload's normal variability. Workloads with very stable baselines might use 3x; workloads with naturally variable baselines need 7x or more.
• Sustained-change alerts: 30% or more over baseline for 1 hour.: The sustained alert uses a different signal. 30% above baseline for 1 hour is a sustained increase; the alert fires when this combination is observed.
• Different signal, different action.: Burst alerts produce capacity reaction; sustained-change alerts produce investigation. The actions differ; the alerts should differ to match.
• Same alert is wrong for both.: A single alert that fires on both burst and sustained change produces ambiguous response. The team does not know whether to scale capacity or investigate; the response is muddled.

Burst vs baseline traffic pattern is one of those operational disciplines that distinguishes teams that respond to real signals from teams buried in noise. Nova AI Ops integrates with traffic data, surfaces both burst and sustained patterns, and produces the discriminated alerts that drive the right response.