Why should an analyst read production logs?

An analyst should read production logs to understand how a system really behaves and to investigate issues without depending on a developer. Logs show what actually happened to a transaction across services, including timing, errors, and the path it took. Reading them lets an analyst trace a specific transaction, confirm behavior, diagnose a failure, and write requirements grounded in real system behavior rather than assumptions.

What is a correlation id in logging?

A correlation id is a unique identifier attached to a request and carried through every service it touches, so all the log entries for one transaction can be found together. In payments this is often the UETR. Searching the logs by correlation id reconstructs the full journey of a single transaction across services, which is the key technique for tracing behavior and debugging in a distributed system.

Log levels indicate the severity or purpose of a log entry. Common levels are DEBUG (detailed diagnostic information), INFO (normal operational events), WARN (something unexpected but not failing), and ERROR (a failure). Filtering by level helps you focus: ERROR and WARN surface problems quickly, while INFO and DEBUG provide the detailed trail. Understanding levels lets an analyst find the relevant entries among high log volume.

How do you trace a transaction through logs?

Trace a transaction through logs by searching for its correlation id, such as the UETR, across all services, then ordering the entries by time to reconstruct the sequence of what happened. You see each service the transaction touched, the timing between steps, and any errors or warnings. If the correlation id breaks at a service boundary, the trail goes cold there, which is itself a finding worth raising.

What tools are used to read production logs?

Production logs are usually read through a log aggregation and search tool such as Splunk, Elastic (Kibana), Datadog, or similar, which collect logs from all services into one searchable place. Analysts use these tools to search by correlation id, filter by level and service, and view entries over time. The specific tool matters less than the technique of searching by transaction and reading the trail.

Reading Production Logs: Trace One Transaction's Trail

Production logs are the record of what actually happened to a transaction across every service it touched. An analyst who can search by correlation id and read the trail can understand behavior, diagnose failures, and write requirements grounded in reality, without waiting for a developer.

Reading production logs means using the system’s own record of events to understand how it really behaves and to investigate what went wrong, by searching for a specific transaction and following its trail across services. Logs show what actually happened: which services a transaction touched, the timing between steps, the warnings and errors along the way, and the path it took. The key technique is searching by correlation id, a unique identifier carried through every service, in payments usually the UETR, which lets you gather all the log entries for one transaction and reconstruct its whole journey. An analyst who can do this can confirm behavior, diagnose a failure, and ground requirements in real system behavior, all without depending on a developer to interpret. This is a core developer analyst and systems analyst skill, and it completes the picture that SQL and API reading start.

I read logs constantly when learning or debugging a system, because they are the runtime truth, the database tells you the state now, the logs tell you the story of how it got there. The full progression through these skills is in The Technical Skills Guide for BAs.

What is a correlation id, and why is it everything?

A correlation id is a unique identifier attached to a request and carried through every service it touches, so all the log entries for one transaction can be found together. It is the single most important concept in log reading, because without it the logs are an undifferentiated flood, and with it they become a coherent story of one transaction.

In a distributed system, every service logs constantly, and at any moment thousands of transactions are interleaved in the logs. Searching by something generic gives you noise. Searching by the correlation id gives you exactly the entries for the one transaction you care about, across every service. In payments this id is typically the UETR, the unique end-to-end transaction reference that is carried through the whole flow precisely so that one payment can be tracked everywhere. You take the UETR of the payment you are investigating, search the logs for it, and every service that touched that payment shows you its entries.

This is why the correlation id is everything: it is the thread that ties the distributed story together. It is also why a broken correlation id is a serious defect. If a service fails to log the UETR, or logs a different internal id instead, the trail goes cold at that service, and any incident touching it becomes manual archaeology, stitching timestamps together by hand. I have raised broken correlation ids as defects more than once, and every time the response was surprise, because nobody had followed one transaction the whole way. That the UETR must be logged at every service is itself a requirement, the kind you only discover by tracing a transaction and watching the id disappear, and it connects directly to the payment message flows that carry the UETR across legs.

How do you trace one transaction through the logs?

Trace a transaction by searching for its correlation id across all services, then ordering the results by time to reconstruct the sequence of what happened. The time-ordered trail shows you each service the transaction touched, the gaps between steps, and any errors, which together tell you exactly how the transaction behaved.

The method is concrete. Take the UETR, search your log tool for it, and you get every entry mentioning that payment, from every service. Order them by timestamp, and a narrative emerges: ingestion received it at this time, published the event at that time, the processor consumed it a moment later, wrote to the database, sent the downstream message, received the response, updated the status. You can see the latency at each hop, which step was slow, and where, if anywhere, an error or warning appeared.

# Search by UETR, ordered by time (Splunk-style)
index=payments uetr=abc-123
| sort _time
| table _time, service, level, message

This trail is the runtime equivalent of a sequence diagram, except it is what actually happened rather than what was designed to happen, and the two often differ in instructive ways. When a payment behaves unexpectedly, the log trail usually shows you why: the service that errored, the step that timed out, the event that never fired. When you are learning a system, tracing a few transactions through the logs teaches you its real shape, which services are involved, in what order, with what timing, faster than any document. It is the same follow-one-transaction discipline that makes end-to-end testing so powerful, applied to the production record.

How do you find what matters in the noise?

Find what matters by filtering on log level and service to focus on the relevant entries, because production log volume is enormous and reading everything is impossible. Log levels and service filters are how you narrow from millions of entries to the handful that answer your question.

Log levels indicate the severity or purpose of each entry. DEBUG is detailed diagnostic information, INFO is normal operational events, WARN is something unexpected but not failing, and ERROR is a failure. When investigating a problem, filtering to ERROR and WARN surfaces the trouble quickly, what failed and what nearly did, while INFO and DEBUG give you the detailed trail when you need the full story. Knowing the levels lets you choose your altitude: high-level for “what went wrong,” detailed for “exactly how.” Service filters narrow to the part of the system you care about, so you can look at just the processor’s view, or just ingestion’s, of a transaction.

Combining filters is the practical skill. To investigate a failed payment, you might search by its UETR, filter to ERROR and WARN, and see immediately which service raised the problem and what it said. Then you widen to INFO on that service to read the full sequence around the error. This narrowing-and-widening is how experienced log readers move fast: start broad enough to find the problem, then zoom into the detail. It mirrors the way you filter data with SQL, a WHERE clause for logs, and the same precision that makes negative test design effective, because you are isolating the specific condition that matters. The tool, Splunk, Kibana, Datadog, matters less than the technique of searching by transaction and filtering by level and service.

What can an analyst actually do with log access?

With log access, an analyst can investigate issues, verify behavior, learn systems, and write requirements grounded in observed reality, independently. Each of these is something that otherwise requires a developer’s time, and log reading collapses the dependency.

You can investigate an issue by tracing the affected transaction and seeing where it failed, turning “the payment did something weird” into “the payment failed at the processor with this error at this time.” You can verify behavior during testing by confirming the logs show the expected sequence and no errors, which is a standard check in end-to-end testing. You can learn a system by tracing real transactions through it, faster than reading documentation. And you can write better requirements, because observing the real behavior, including the gaps like a broken correlation id or a service that logs nothing, reveals requirements that no diagram contains.

That last point is the deepest value. Log reading does not just help you debug; it surfaces requirements. The service that does not log the UETR is an observability gap that becomes a requirement: every service must log the end-to-end id on entry and exit. The step that takes far longer than expected is a performance requirement waiting to be written. The error that is logged but never surfaced to the customer is a customer-experience gap. You find these by reading the logs, and they make your analysis sharper because it is grounded in how the system actually runs. This is the runtime half of the truth that the code gives you statically, and together they make an analyst genuinely self-sufficient in understanding a system, which is the whole premise of the technical business analyst. The structured path through these skills is The Technical Skills Guide for BAs.

The takeaway

Production logs are the record of what actually happened to a transaction across every service it touched, and reading them is a core analyst skill. Search by correlation id, the UETR in payments, to gather one transaction’s entries, order them by time to reconstruct its journey, and filter by level and service to find what matters in the noise. The payoff is the ability to investigate, verify, learn systems, and surface requirements, independently, grounded in real runtime behavior.

A broken correlation id is a defect, a slow step is a requirement, and an unsurfaced error is a customer-experience gap, all visible only in the logs. Start with The Technical Skills Guide for BAs, or browse everything at The Tech BA Toolkit.

Ahmed is a Senior Technical Business Analyst with 10+ years in banking and payments. He builds practical guides and tools for analysts at The Tech BA Toolkit.

Tags: Observability, Technical Skills, Software Testing, Debugging, Career Growth