S.A.M.P.L.E. Investigation Form

Incident Information

Incident ID

Investigator Name

Investigation Start Time

S - Signs/Symptoms

What to look for: Observable indicators of the incident. Document exactly what users are experiencing and what the system is showing. Include error messages, performance issues, service outages, or unexpected behavior.

What is the user experiencing? (Symptoms)

User symptoms documented

What are the observable system indicators? (Signs)

System signs documented

Specific Error Messages

Error messages captured

A - Application Allergies

What to look for: Known sensitivities, configurations, or dependencies that could affect the problem or potential solutions. Consider software versions, hardware limitations, security policies, and system interdependencies.

Known System Sensitivities/Configurations

Sensitivities identified

Critical Dependencies

Dependencies mapped

Environmental Constraints

Constraints documented

M - Modules Impacted

What to look for: Specific modules, components, or parts of the system that are affected. Identify whether it's UI, data layer, web/application servers, or other processes. Pinpointing affected modules provides crucial insights into potential causes.

Which specific modules/components are affected?

Affected modules identified

Which system layers are impacted?

User Interface (UI)

Application Layer

Data Layer

Network Layer

Infrastructure

Recent Changes to Affected Modules

Recent changes reviewed

P - Previous Incidents

What to look for: Similar incidents that occurred before. Check incident logs, knowledge base articles, and problem records. Finding previous occurrences can provide quick resolution paths and prevent repeating past mistakes.

Have similar incidents occurred before?

Previous incidents researched

Previous Resolution Methods

Previous resolutions documented

Relevant Knowledge Base Articles

Knowledge base consulted

L - Last Change

What to look for: The last known good state and any recent changes. Identify when the system last worked properly and what modifications occurred since then. This could be the root cause of the incident.

When did the system last work properly?

Last good state identified

Recent System Changes

System changes documented

Indirect Changes (Other Systems)

Indirect changes reviewed

Last Successful Transaction/Operation

Last successful operation identified

E - Events

What to look for: The sequence of events that led up to the incident. Reconstruct the timeline of actions, alerts, and system behaviors. Understanding the chronological flow helps identify triggers and causal relationships.

Timeline of Events Leading to Incident

Event timeline documented

User Actions Before Incident

User actions documented

System Alerts and Warnings

System alerts reviewed

External Triggers

External triggers identified

Investigation Summary

Key Findings from S.A.M.P.L.E. Investigation

Working Hypotheses

Recommended Next Steps

Investigation Urgency Assessment