Telemetry types and technologies
The boring but important part of observability tools is telemetry – capturing data that is useful, shipping it from place to place, and producing visualizations, alerts, and reports that offer value to the organization.
Three main types of telemetry are used to build monitoring and observability systems – metrics, logs, and distributed traces. Other telemetry types may be used by some vendors and in particular circumstances. We will touch on these here, but they will be explored in more detail in Chapters 12 and 13 of this book.
Metrics
Metrics can be thought of as numeric data that is recorded at a point in time and enriched with labels or dimensions to enable analysis. Metrics are frequently generated and are easy to search, making them ideal for determining whether something is wrong or unusual. Let’s look at an example of metrics showing temporal changes:
Figure 1.3 – Metrics showing changes over time
Taking our example of the Panama Canal, we could represent the water level in each lock as a metric, to be measured at regular intervals. To be able to use the data effectively, we might add some of these labels:
- The lock name: Agua Clara
- The lock chamber: Lower lock
- The canal: Panama Canal
Logs
Logs are considered to be unstructured string data types. They are recorded at a point in time and usually contain a huge amount of information about what is happening. While logs can be structured, there is no guarantee of that structure persisting, because the log producer has control over the structure of the log. Let’s look at an example:
Jun 26 2016 20:31:01 pc-ac-g1 gate-events no obstructions seen Jun 26 2016 20:32:01 pc-ac-g1 gate-events starting motors Jun 26 2016 20:32:30 pc-ac-g1 gate-events motors engaged successfully Jun 26 2016 20:35:30 pc-ac-g1 gate-events stopping motors Jun 26 2016 20:35:30 pc-ac-g1 gate-events gate open complete
In our example, the various operations involved in opening or closing a lock gate could be represented as logs.
Almost every system produces logs, and they often give very detailed information. This is great for understanding what happened. However, the volume of data presents two problems:
- Searching can be inefficient and slow.
- As the data is in text format, knowing what to search for can be difficult. For example,
error occurred,process failed, andaction did not complete successfullycould all be used to describe a failure, but there are no shared strings to search for.
Let’s consider a real log entry from a computer system to see how log data is usually represented:
Figure 1.4 – Logs showing discrete events in time
We can clearly see that we have a number of fields that have been extracted from the log entry by the system. These fields detail where the log entry originated from, what time it occurred, and various other items.
Distributed traces
Distributed traces show the end-to-end journey of an action. They are captured from every step that is taken to complete the action. Let’s imagine a trace that covers the passage of a ship through the lock system. We will be interested in the time a ship enters and leaves each lock, and we will want to be able to compare different ships using the system. A full passage can be given an identifier, usually called a trace ID. Traces are made up of spans. In our example, a span would cover the entry and exit for each individual lock. These spans are given a second identifier, called a span ID. To tie these two together, each span in a trace references the trace ID for the whole trace. The following screenshot shows an example of how a distributed trace is represented for a computer application:
Figure 1.5 – Traces showing the relationship of actions over time
Now that we have introduced metrics, logs, and traces, let’s consider a more detailed example of a ship passing through the locks, and how each telemetry type would be produced in this process:
- Ship enters the first lock:
- Span ID created
- Trace ID created
- Contextual information is added to the span, for example, a ship identification
- Key events are recorded in the span with time stamps, for example, gates are opened and closed
- Ship exits the first lock:
- Span closed and submitted to the recording system
- Second lock notified of trace ID and span ID
- Ship enters the second lock:
- Span ID created
- Trace ID added to span
- Contextual information is added to the span
- Key events recorded in the span with time stamps
- Ship exits the second lock:
- Span closed and submitted to the recording system
- Third lock notified of trace ID and span ID
- Ship enters the third lock:
- Repeat step 3
- Ship exits the third lock:
- Span closed and submitted to the recording system
Now let’s look at some other telemetry types.
Other telemetry types
Metrics, logs, and traces are often called the three pillars or the golden triangle of observability. As we outlined earlier, observability is the ability to understand a system. While metrics, logs, and traces give us a very good ability to understand a system, they are not the only signals we might need, as this depends at what abstraction layer we need to observe the system. For instance, when looking at a very detailed level, we may be very interested in the stack trace of an application’s activity at the CPU and RAM level. Conversely, if we are interested in the execution of a CI/CD pipeline, we may just be interested in whether a deployment occurred and nothing more.
Profiling data (stack traces) can give us a very detailed technical view of the system’s use of resources such as CPU cycles or memory. With cloud services often charged per hour for these resources, this kind of detailed analysis can easily create cost savings.
Similarly, events can be consumed from a platform, such as CI/CD. These can offer a huge amount of insight that can reduce the Mean Time to Recovery (MTTR). Imagine responding to an out-of-hours alert and seeing that a new version of a service was deployed immediately before the issues started occurring. Even better, imagine not having to wake up because the deployment process could check for failures and roll back automatically. Events differ from logs only in that an event represents a whole action. In our earlier example in the Logs section, we created five logs, but all of these referred to stages of the same event (opening the lock gate). As a relatively generic term, event gets used with other meanings.
Now that we’ve introduced the fundamental concepts of the technology, let’s talk about the customers who will use observability data.