elastisys · Eliastisys · Nov 7, 2024 · Oct 30, 2024 · Oct 31, 2024
@@ -71,6 +71,7 @@ Aim for a review which is both **wide** and **deep**. By wide we mean that you s
 1. Open up a browser and open the Compliant Kubernetes [logs](../user-guide/logs.md) of the cluster you are reviewing. This functionality is currently offered by OpenSearch.
 1. Search for the following keywords on all indices -- i.e., search over each index pattern -- over the last review period: `error`, `failed`, `failure`, `deny`, `denied`, `blocked`, `invalid`, `expired`, `unable`, `unauthorized`, `bad`, `401`, `403`, `500`, `unknown`. Sample a few keywords you recently encountered during your work, e.g., `already installed` or `not found`; be creative and unpredictable.
 1. Vary the time point, the time interval, filters, etc.
+1. Include the total amount of logs in each log category in your review (set the time interval bigger than retention). Is it the same, significantly less or significantly more logs compared to the last check? If there is a major difference, it could be worth investigating further to figure out why that is.
 1. Go _wide_: For each query (index pattern, keyword, timepoint, time interval and filter combination), look at the timeline and see if there is an unexpected increase or decrease in the count of log lines. If you find any, focus your attention on those.
 1. Go _deep_: For each query, sample at least 10 log entries, read them and make sure you understand what they mean. Think about the following:
     - What are potential causes?