Why Doing Nothing Is Sometimes Correct
1. Action bias under stress When systems are failing: Humans feel pressure to be seen doing something Silence feels like incompetence Random motion feels like progress Reality: Most outages get worse because of uncoordinated interventions Every action changes the system state and destroys evidence Key lesson: Movement is not mitigation. 2. Stabilization vs perturbation Every change during an incident: Resets caches Invalidates assumptions Alters traffic patterns Masks the original failure mode Doing nothing preserves: Signal continuity Reproducibility Causal chains Rule of thumb: If the system is degrading slowly, observe. If it’s degrading fast, act — but only reversibly. 3. When “wait” is the correct move Doing nothing is often correct when: Metrics are noisy but not trending worse A rollout is still propagating Auto-scaling is catching up A dependency is flapping but not dead You lack a safe rollback In these cases: Time itself is the mitigation Human intervention introduces more entropy 4. The “observer effect” in production Changing the system changes what you’re measuring. Examples: Restarting a service clears the logs you needed Scaling hides which node was misbehaving
Why Doing Nothing Is Sometimes Correct
Master the art of restraint in debugging with free flashcards and spaced repetition practice. This lesson covers recognizing when inaction prevents damage, understanding the cost-benefit analysis of interventions, and developing the discipline to resist premature changes—essential skills for effective debugging under pressure.
Welcome
💻 In high-pressure debugging scenarios, our instinct screams at us to do something—anything—to fix the problem. But sometimes the most professional, effective action is to pause and do nothing at all. This isn't paralysis or cowardice; it's strategic patience.
When systems are failing and stakeholders are breathing down your neck, the urge to act is overwhelming. Yet hasty actions often compound problems, destroy evidence, or create cascading failures that dwarf the original issue. Learning when not to act is one of the most valuable debugging skills you'll ever develop.
Core Concepts
The Paradox of Inaction
⚡ Doing nothing is an active choice, not passive indecision. When you consciously decide to hold steady, you're:
- Preserving the current state for investigation
- Preventing premature optimization based on incomplete information
- Avoiding the creation of new problems through rushed interventions
- Maintaining system stability during observation
🧠 The First Rule of Emergency Medicine
"First, do no harm." This ancient principle applies perfectly to debugging. If your intervention might make things worse, and the current situation is stable (even if degraded), maintaining status quo while you gather information is often the correct choice.
When Doing Nothing Is Correct
1. 🔍 The Problem Is Self-Limiting
Some issues resolve themselves without intervention:
## Temporary network blip causing retries
for attempt in range(3):
try:
response = api_call()
break # Success, exits loop
except NetworkError:
if attempt < 2:
time.sleep(1) # Built-in retry handles transient issues
else:
raise
If your system has automatic recovery mechanisms (retries, circuit breakers, health checks), they may handle the problem faster and more reliably than manual intervention.
2. 🧪 You're Still Gathering Evidence
Rushing to fix before understanding destroys your crime scene:
## DON'T immediately restart the crashing service!
## FIRST collect diagnostics:
## Capture current state
kubectl describe pod failing-pod > pod-state.txt
kubectl logs failing-pod > pod-logs.txt
kubectl get events --sort-by='.lastTimestamp' > events.txt
## Check resource usage
top -b -n 1 > cpu-snapshot.txt
free -h > memory-snapshot.txt
## NOW you can restart if needed
💡 Tip: Set a timer for evidence collection. If you haven't gathered enough data in 5 minutes, you probably won't get more value from waiting longer in a production emergency.
3. ⚖️ The Cure Might Be Worse Than The Disease
Sometimes the "fix" carries unacceptable risks:
| Current Problem | Proposed Fix | Risk | Decision |
|---|---|---|---|
| One server slow (90% capacity) | Restart server | Lose 50% capacity during restart cascade | ❌ Monitor instead |
| Database query slow (2s vs 200ms) | Add index to production | Lock table during index creation | ❌ Schedule maintenance window |
| Memory leak causing 1% growth/hour | Deploy untested patch | Introduce new bugs | ❌ Restart on schedule + test patch |
| Service completely down | Rollback to last known good | Low - downtime already exists | ✅ Safe to act |
4. 🎯 The Window for Safe Action Has Passed
Timing matters. Consider this deployment scenario:
// New version deployed 10 minutes ago
// Traffic ramping: 5% → 25% → 50% → 100%
// Currently at 25%, showing 0.5% error rate increase
if (errorRate > THRESHOLD) {
// Option A: Rollback NOW (safe)
// Option B: Push forward to 50% to gather more data
// Option C: Hold at 25% and observe
// If you're unsure and errors aren't critical:
// HOLD STEADY - you're already in a known mixed state
// Rolling forward OR back both introduce new unknowns
}
Once you're in a partially-deployed state, sometimes the safest option is to maintain that state while investigating, rather than introducing another state change.
The Cost-Benefit Analysis
🧮 Every action carries costs:
┌─────────────────────────────────────────────────┐ │ ACTION COST FRAMEWORK │ ├─────────────────────────────────────────────────┤ │ │ │ Time Cost ⏱️ How long to implement? │ │ Risk Cost ⚠️ What could go wrong? │ │ Opportunity Cost 🔄 What else could we do? │ │ Recovery Cost 🔧 Can we undo it? │ │ Learning Cost 📚 Will we understand less? │ │ │ └─────────────────────────────────────────────────┘
Example calculation:
## Production API responding slowly (1.5s vs normal 200ms)
## Affecting 10% of requests
## Business impact: $100/minute in delayed checkouts
class InterventionOption:
def __init__(self, name, time_min, success_rate, risk_level):
self.name = name
self.time_min = time_min
self.success_rate = success_rate
self.risk_level = risk_level # 1-10
options = [
InterventionOption(
"Do nothing, monitor",
time_min=0,
success_rate=0.20, # 20% chance self-resolves
risk_level=3 # Low risk, but problem continues
),
InterventionOption(
"Restart app servers",
time_min=5,
success_rate=0.60,
risk_level=7 # Might cause brief total outage
),
InterventionOption(
"Scale out + investigate root cause",
time_min=10,
success_rate=0.95,
risk_level=2 # Addresses symptom safely
)
]
## In this case: Option 3 wins despite taking longest
## Options 1 & 2 have unacceptable risk/reward profiles
Recognizing False Urgency
⚡ Not all pressure to act is legitimate:
False Urgency Signals:
- 📢 "Just try restarting everything!" (destructive, non-diagnostic)
- 🎲 "We should change something to show we're working on it" (optics over effectiveness)
- ⏰ "We've been debugging for 10 minutes already!" (arbitrary time pressure)
- 🔀 "Let's deploy this potential fix to see if it helps" (untested changes in production)
True Urgency Signals:
- 💰 Active data loss or corruption
- 🔒 Security breach in progress
- 📉 Complete service outage (0% availability)
- ⚖️ Legal/compliance violation occurring
// False urgency: "The logs show an error!"
func handleLogError(err LogEntry) {
if err.Level == "ERROR" {
// DON'T panic and restart service
// DO investigate: Is this error actually causing issues?
if err.ImpactsUsers() {
// True urgency - act
escalate(err)
} else {
// False urgency - log and monitor
recordMetric(err)
}
}
}
Building Discipline for Inaction
🎯 Developing the muscle to resist premature action requires practice:
The 5-Minute Rule:
⏱️ When Encountering a New Problem:
- Minute 1: Assess severity - is this actually an emergency?
- Minute 2: Check monitoring - what do metrics show?
- Minute 3: Review recent changes - what's different?
- Minute 4: Formulate hypothesis - what's the likely cause?
- Minute 5: Plan reversible action - if you must act, what's safest?
Only after this sequence should you consider making changes.
Documentation of Non-Action
📝 When you decide to do nothing, document it:
### Incident Timeline: API Latency Spike
**14:23** - Alert triggered: P95 latency 1.2s (threshold: 500ms)
**14:25** - Investigated metrics: CPU 45%, Memory 60%, No errors
**14:27** - Observed traffic pattern: 2x normal load from Partner API
**14:30** - DECISION: No intervention
RATIONALE: System handling load, no errors,
partner traffic expected to normalize
RISK: Continued degraded performance
MONITORING: Set 15-min review checkpoint
**14:45** - Traffic returned to normal, latency recovered
**14:50** - Post-mortem: System behavior correct, no action needed
This documentation:
- ✅ Justifies your decision to stakeholders
- ✅ Provides learning for future incidents
- ✅ Shows you were actively engaged, not passive
Examples
Example 1: The Memory Leak That Wasn't Urgent
🐛 Scenario: Production microservice shows steady memory growth from 2GB to 2.5GB over 6 hours.
Immediate Reaction (Wrong):
## PANIC MODE
kubectl rollout restart deployment/leaky-service
## Lost all diagnostic data, problem will recur
Disciplined Approach (Right):
## 1. Assess urgency
kubectl top pod leaky-service-xyz
## Current: 2.5GB / Limit: 4GB → 37.5% headroom remaining
## Growth rate: 500MB / 6hr = 83MB/hr
## Time to limit: 18 hours remaining
## 2. DECISION: Do nothing NOW, gather data
## Enable heap profiling
kubectl exec leaky-service-xyz -- curl -X POST localhost:9090/debug/heap
## Set monitoring alert for 3GB (75% of limit)
## Schedule review in 4 hours
## 3. Root cause analysis (with time to investigate)
## Discovered: HTTP client not closing connections
## Created proper fix with tests
## Deployed during maintenance window
Outcome: By not acting immediately, team identified root cause, created proper fix, and deployed safely. Immediate restart would have hidden the problem temporarily.
Example 2: The Database Deadlock Spike
🔒 Scenario: Database deadlock rate jumps from 0/hour to 5/hour during deployment.
Panic Response (Wrong):
-- "Quick fix" that makes things worse
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED;
-- Now you have dirty reads AND deadlocks!
Strategic Inaction (Right):
## Monitor deadlock impact
class DeadlockMonitor:
def __init__(self):
self.rate = 5 # per hour
self.retry_success_rate = 0.98 # 98% succeed on retry
def assess_impact(self):
# 5 deadlocks/hour = 1 per 12 minutes
# Each affects 1 transaction
# 98% succeed on automatic retry
# Net user impact: 0.1 failed transactions/hour
# Total transactions: 100,000/hour
# Impact rate: 0.1/100,000 = 0.0001% failure rate
return "ACCEPTABLE - Monitor and investigate"
## DECISION: Don't rollback deployment
## Application's retry logic handles deadlocks gracefully
## Schedule investigation for root cause
## Set alert if rate exceeds 20/hour
Investigation revealed:
-- New feature introduced query pattern that occasionally conflicts
-- Solution: Reorder transaction operations to acquire locks consistently
BEGIN TRANSACTION;
-- OLD (causes deadlocks):
UPDATE accounts SET balance = balance - 100 WHERE id = ?
UPDATE accounts SET balance = balance + 100 WHERE id = ?
-- NEW (consistent lock order):
UPDATE accounts SET balance = balance - 100 WHERE id = LEAST(?, ?)
UPDATE accounts SET balance = balance + 100 WHERE id = GREATEST(?, ?)
COMMIT;
Outcome: Small deadlock rate was acceptable given retry logic. Team had time to find and implement proper solution rather than making hasty, incorrect changes.
Example 3: The Cascading Failure Decision
⚠️ Scenario: One microservice in a cluster of 10 is failing health checks.
The Action Cascade (Wrong):
## Engineer sees failing pod, restarts it
kubectl delete pod service-a-failing-pod
## Pod comes back, still failing
## Engineer restarts entire deployment
kubectl rollout restart deployment/service-a
## All pods restart simultaneously
## Load balancer removes all instances
## Dependent services start failing
## Now 4 services are down instead of 1 pod degraded
The Controlled Observation (Right):
## Assessment script
class FailureAnalysis:
def __init__(self):
self.total_pods = 10
self.failing_pods = 1
self.healthy_capacity = 0.90 # 9/10 = 90%
def should_intervene(self):
if self.healthy_capacity >= 0.70: # 70% threshold
return False, "Sufficient capacity remains"
return True, "Critical capacity loss"
def safe_diagnostic_actions(self):
return [
"kubectl logs failing-pod",
"kubectl exec failing-pod -- curl localhost:8080/health",
"kubectl describe pod failing-pod",
"Check recent deployments/config changes"
]
analysis = FailureAnalysis()
intervene, reason = analysis.should_intervene()
if not intervene:
print(f"HOLD STEADY: {reason}")
print("Investigate root cause while system serves traffic")
# Service continues at 90% capacity while you debug safely
Diagnostic output revealed:
## Single pod was on node with disk space issue
## NOT a code/config problem
## Kubernetes would have rescheduled automatically
$ kubectl get events
Warning FailedMount Node disk pressure, pod eviction pending
## By doing nothing, Kubernetes self-healed
## New pod scheduled to healthy node
## No cascading failure created
Example 4: The Configuration Rollback Dilemma
🔧 Scenario: New configuration deployed, minor increase in error rate detected.
The Rollback Trap (Wrong):
## See 0.1% error rate increase
## Immediately rollback configuration
git revert HEAD
./deploy.sh
## Now you're in UNKNOWN state:
## - Some requests processed with new config
## - Some data written in new format
## - Rollback may cause DIFFERENT errors
## - You still don't know what caused original errors
The Controlled Analysis (Right):
// Error rate analysis
const errorAnalysis = {
baseline: 0.05, // 0.05% error rate normally
current: 0.15, // 0.15% after config change
delta: 0.10, // 0.10% increase
affectedRequests: function() {
const totalReqs = 1000000; // per hour
return totalReqs * (this.delta / 100); // 1000 requests/hour
},
severity: function() {
if (this.current < 1.0) return "LOW";
if (this.current < 5.0) return "MEDIUM";
return "HIGH";
},
recommendation: function() {
if (this.severity() === "LOW") {
return "INVESTIGATE - Don't rollback yet";
}
return "ROLLBACK - Error rate unacceptable";
}
};
console.log(errorAnalysis.recommendation());
// Output: "INVESTIGATE - Don't rollback yet"
// Deep dive into errors
const errorBreakdown = `
SELECT error_type, COUNT(*)
FROM errors
WHERE timestamp > NOW() - INTERVAL '1 hour'
GROUP BY error_type;
Result:
- validation_error: 800 (related to new stricter validation in config)
- timeout_error: 200 (unrelated, background noise)
Conclusion: New validation is working as intended,
rejecting previously-accepted invalid input.
NOT a bug - this is desired behavior.
`;
Outcome: What looked like a problem was actually the system working correctly. Rollback would have re-enabled buggy behavior. By pausing to investigate, team confirmed the change was beneficial.
Common Mistakes
⚠️ Mistake 1: Confusing Inaction with Ignorance
## WRONG: Ignoring the problem
def handle_alert(alert):
pass # "It'll probably go away"
## RIGHT: Conscious decision with monitoring
def handle_alert(alert):
severity = assess_severity(alert)
if severity.requires_immediate_action():
escalate(alert)
else:
log_decision(f"Monitoring {alert.id}: {severity.rationale}")
schedule_review(alert, minutes=15)
set_escalation_trigger(alert, severity.threshold)
Key difference: Active monitoring with clear escalation criteria vs. passive neglect.
⚠️ Mistake 2: Treating All Problems as Equally Urgent
// WRONG: Everything is an emergency
func OnError(err error) {
panic("ERROR DETECTED - RESTARTING EVERYTHING")
}
// RIGHT: Severity-based response
func OnError(err error) error {
switch severity := ClassifySeverity(err); severity {
case Critical:
// Data loss, security breach, total outage
return InitiateEmergencyProtocol(err)
case High:
// Degraded service, high error rate
return EscalateToOnCall(err)
case Medium:
// Elevated errors, performance degradation
LogAndMonitor(err)
return ScheduleInvestigation(err, time.Hour)
case Low:
// Expected errors, transient issues
LogOnly(err)
return nil
}
return nil
}
⚠️ Mistake 3: Acting Without a Rollback Plan
-- WRONG: One-way door without escape route
ALTER TABLE users DROP COLUMN legacy_id;
-- If this breaks something, you've lost data permanently
-- RIGHT: Reversible actions first
-- Step 1: Stop using column (reversible)
UPDATE application_config SET use_legacy_id = false;
-- Monitor for 24 hours
-- Step 2: Hide column (reversible)
ALTER TABLE users ALTER COLUMN legacy_id SET DEFAULT NULL;
-- Monitor for 1 week
-- Step 3: Only after confirming safe, remove
ALTER TABLE users DROP COLUMN legacy_id;
⚠️ Mistake 4: Optimizing Prematurely Under Pressure
## WRONG: "The system is slow, let's add caching!"
class UserService:
def __init__(self):
self.cache = Redis() # Added in panic
def get_user(self, user_id):
# Introduced cache invalidation bugs
# Didn't identify actual bottleneck
# Now debugging TWO problems
return self.cache.get_or_fetch(user_id)
## RIGHT: Measure first, then decide
class UserService:
def get_user(self, user_id):
with timer("get_user"):
user = self.db.query(user_id)
return user
## Analysis shows: Database query is 5ms
## Real bottleneck: Network serialization is 500ms
## Caching wouldn't have helped!
⚠️ Mistake 5: Destroying Evidence to "Clean Up"
## WRONG: "Let's clear these error logs to see new errors"
rm /var/log/application/error.log
## Just destroyed your only clue to root cause
## RIGHT: Preserve, then rotate
cp /var/log/application/error.log /tmp/error-$(date +%s).log
## Analyze the preserved copy
grep -A 5 -B 5 "OutOfMemory" /tmp/error-*.log
## Then if needed:
> /var/log/application/error.log # Clear for new data
Key Takeaways
📋 Quick Reference Card: When to Do Nothing
| Situation | Do Nothing If... | Act If... |
|---|---|---|
| 🔍 Investigation Phase | Evidence still being collected | Clear diagnosis reached |
| ⚖️ Risk Assessment | Fix might cause worse problems | Fix is safer than status quo |
| 📊 Impact Analysis | Impact < 5% capacity/users | Impact > 20% or growing fast |
| 🔄 Self-Healing | System has auto-recovery | Manual intervention required |
| ⏱️ Time Pressure | False urgency (optics) | True urgency (data loss) |
| 🧪 Testing Status | Fix is untested | Fix is validated/reversible |
| 📈 Trend Analysis | Problem is stable/decreasing | Problem is accelerating |
Core Principles:
- 🛡️ First, do no harm - Your intervention should improve the situation with high confidence
- 📸 Preserve evidence - Every restart, rollback, or config change destroys diagnostic data
- ⏰ Differentiate urgency types - True emergencies (data loss) vs. false urgency (impatience)
- 🔄 Reversibility is safety - Only take actions you can undo quickly
- 📊 Quantify impact - "Bad" means nothing; "0.01% error rate increase" enables decisions
- 🧠 Document non-decisions - Explain why you chose to wait/observe
- 🎯 Set review checkpoints - "We'll reassess in 15 minutes" prevents indefinite drift
💡 Remember: In debugging, as in medicine, the most sophisticated practitioners know when not to intervene. The amateur acts on every symptom; the expert acts only when action improves outcomes.
🔧 Try This: Next time you encounter a production issue, before typing any command, set a 60-second timer. Use that minute to ask: "What will I learn from this action? What could go wrong? Is there a safer alternative?" You'll be surprised how often the answer is "wait and observe."
📚 Further Study
- Google SRE Book - Emergency Response - Industry-standard approaches to incident management and when to intervene
- The Art of Monitoring - Building observability systems that enable confident inaction through comprehensive data
- Debugging: The 9 Indispensable Rules - Classic reference on systematic debugging, including knowing when to stop