Opsmeter.io logo
Opsmeter.io
AI Cost & Inference Control
HomeDocsPricingCompare
Sign inCreate workspace

Operations

Compare guideBOFU profile

Investigate Spike current vs baseline: a practical playbook

Use a repeatable current-vs-baseline workflow to isolate the real driver behind spend jumps in minutes.

Published: 2026-02-27Updated: 2026-02-27
OperationsBudgetsRoot Cause

Full guide: LLM cost attribution: endpoint, prompt version, tenant, and user

What this comparison answers

  • Which buyer problem each product handles best.
  • Where attribution, governance, or tracing tradeoffs start to matter.
  • When Opsmeter.io is the better fit for bill-shock prevention workflows.

What to alert on

  • cost/request drift by endpointTag or promptVersion
  • unexpected tenant concentration in Top Users
  • request burst with falling success ratio
  • budget warning, spend-alert, and exceeded state transitions

Execution checklist

  1. Confirm spike type: volume, token, deploy, or abuse signal.
  2. Assign one incident owner and one communication channel.
  3. Apply immediate containment before deep optimization.
  4. Document the dominant endpoint, tenant, and promptVersion driver.
  5. Convert findings into one permanent guardrail update.

Why equal windows are mandatory for spike analysis

Comparing current 7 days to an arbitrary baseline creates false narratives. The baseline must be the immediately previous window with the same duration.

Equal windows keep traffic seasonality and business cadence aligned, so deltas are decision-ready.

Use this workflow

Turn diagnosis into action

Identify the cost driver, validate it with attribution, then apply one durable control before the next billing cycle.

Apply in your workspace

Re-run this workflow on your own spend data

Follow the same path from article insight to telemetry verification, then validate with your own cost signals.

Quickstart pathSend a first payload, confirm attribution, then return here for operations context.Open quickstart
Evaluation pathPair this guide with trust proof, status, and compare surfaces during review.Open trust proof pack

Default setup that works in production

  • Current window: selected incident period (for example last 7d)
  • Baseline window: previous equal period (previous 7d)
  • Compare dimensions: endpointTag, promptVersion, tenantId, userId
  • Primary metric: cost delta first, then cost/request and token deltas

15-minute execution order

  1. Confirm current and baseline windows are equal and contiguous.
  2. Rank top endpoint drivers by absolute cost delta.
  3. Check promptVersion and token shifts on the top endpoint.
  4. Check tenant/user concentration before declaring abuse.
  5. Contain first, then document one permanent guardrail.

Common false positives to filter out

  • Demo/test traffic mixed into production windows
  • Backfill events arriving late and polluting the period
  • Unpriced unknown-model rows creating temporary deltas
  • Retry bursts counted as new work due to poor request idempotency

FAQ

Is userId required?

No. userId is optional, but recommended for tenant-level attribution. If needed, send a hashed identifier.

Where should token usage values come from?

Prefer provider usage fields first. If unavailable, use tokenizer estimates and mark uncertainty in your workflow.

How should retries be handled?

Keep the same externalRequestId for the same logical request so idempotency remains stable across retries.

Can telemetry break production flow?

It should not. Use short timeouts, catch errors, and keep telemetry asynchronous so provider calls keep running.

Related guides

Open root-cause guideCreate workspaceCompare alternatives

Evaluation resources

For security and procurement reviews, use our trust summary before final tool selection.

Open trust proof pack