Situation: A daily ETL intermittently fails, causing missing events in reports. My goal: quickly identify root cause, quantify impact, fix and validate a backfill, and communicate confidence to stakeholders.Investigation steps1. Triage & surface-level checks- Check orchestration system (Airflow/DBT) run history, task logs, retry counts, and timestamps.- Review job exit codes and stack traces in application logs.- Look at recent deploys/config changes and schema migrations.2. Metrics and alerts to review- Upstream source ingestion rates (events/min), producer lags, and Kafka/queue offsets.- ETL throughput (rows/sec), processing latency, and error rates.- Downstream report row counts and key KPI time-series for anomalies (sudden drops).3. Forensic SQL queries (examples)- Compare expected vs actual event counts by source/day:sql
SELECT date(event_ts) as day,
COUNT(*) as actual_events,
expected.count as expected_events,
COUNT(*) - expected.count as delta
FROM events e
LEFT JOIN expected_daily_counts expected USING (day)
WHERE day BETWEEN '2025-11-10' AND '2025-11-22'
GROUP BY day, expected.count;
- Identify missing event IDs by joining source and warehouse:sql
SELECT src.id
FROM source_table src
LEFT JOIN warehouse_table wh ON src.id = wh.id
WHERE src.date = '2025-11-21' AND wh.id IS NULL LIMIT 100;
- Sample raw messages around ETL failure window to find corrupt records.4. Root-cause hypotheses & tests- Bad records causing job crash: scan for schema violations or nulls.- Downstream write failures: check DB constraints, deadlocks, or permissions.- Resource exhaustion: examine CPU/memory/IO metrics during runs.5. Backfill validation & confidence- Perform a controlled backfill in a staging environment; run reconciliation queries comparing source vs warehouse.- Produce reconciliation report: total expected vs ingested, sample of missing IDs, error log excerpts.- Calculate coverage and confidence metrics: e.g., % matched rows, % sampled rows verified, and number of exceptions.Communication to stakeholders- Deliver a concise incident summary: impact window, root cause, actions taken, and residual risk.- Share metric-backed evidence (charts + SQL results) and attach verification checklist.- Provide action plan and rollback/backfill schedule with sign-off criteria: reconciliation passes (>=99.9% matched) and sample audit (manual review of 100 records).- Offer follow-ups: post-mortem, monitoring improvements, and preventative changes (schema validation, idempotent writes, alerting).This approach balances technical forensics (logs, SQL reconciliation) with clear, measurable evidence to build stakeholder trust in the fix and backfill.