Opsmeter logo
Opsmeter
AI Cost & Inference Control
HomeDocsPricingCompare
Sign inCreate Workspace

Operations

Investigate Spike current vs baseline: a practical playbook

Use a repeatable current-vs-baseline workflow to isolate the real driver behind spend jumps in minutes.

Published: 2026-02-27Updated: 2026-02-27
OperationsBudgetsRoot Cause

Full guide: LLM cost attribution: endpoint, prompt version, tenant, and user

Why equal windows are mandatory for spike analysis

Comparing current 7 days to an arbitrary baseline creates false narratives. The baseline must be the immediately previous window with the same duration.

Equal windows keep traffic seasonality and business cadence aligned, so deltas are decision-ready.

Default setup that works in production

  • Current window: selected incident period (for example last 7d)
  • Baseline window: previous equal period (previous 7d)
  • Compare dimensions: endpointTag, promptVersion, tenantId, userId
  • Primary metric: cost delta first, then cost/request and token deltas

15-minute execution order

  1. Confirm current and baseline windows are equal and contiguous.
  2. Rank top endpoint drivers by absolute cost delta.
  3. Check promptVersion and token shifts on the top endpoint.
  4. Check tenant/user concentration before declaring abuse.
  5. Contain first, then document one permanent guardrail.

Common false positives to filter out

  • Demo/test traffic mixed into production windows
  • Backfill events arriving late and polluting the period
  • Unpriced unknown-model rows creating temporary deltas
  • Retry bursts counted as new work due to poor request idempotency

What to alert on

  • cost/request drift by endpointTag or promptVersion
  • unexpected tenant concentration in Top Users
  • request burst with falling success ratio
  • budget warning, spend-alert, and exceeded state transitions

Execution checklist

  1. Confirm spike type: volume, token, deploy, or abuse signal.
  2. Assign one incident owner and one communication channel.
  3. Apply immediate containment before deep optimization.
  4. Document the dominant endpoint, tenant, and promptVersion driver.
  5. Convert findings into one permanent guardrail update.

FAQ

Is userId required?

No. userId is optional, but recommended for tenant-level attribution. If needed, send a hashed identifier.

Where should token usage values come from?

Prefer provider usage fields first. If unavailable, use tokenizer estimates and mark uncertainty in your workflow.

How should retries be handled?

Keep the same externalRequestId for the same logical request so idempotency remains stable across retries.

Can telemetry break production flow?

It should not. Use short timeouts, catch errors, and keep telemetry asynchronous so provider calls keep running.

Related guides

Open root-cause guideTry demo data nowCompare alternatives

Evaluation resources

For security and procurement reviews, use our trust summary before final tool selection.

Open trust proof pack