Jump to Category
| 💡 Core Observability Principles | ιχ Distributed Tracing |
| 📈 Metrics & Measurement | 🚨 SLOs & Alerting |
| ✨ Modern Tooling & Advanced Concepts |
Core Observability Principles
1. How does an observable system change the way you approach debugging “unknown unknowns”?
An observable system is designed for exploration. Instead of the traditional debugging cycle of “guess -> add log statement -> redeploy -> repeat,” an observable system provides high-cardinality, high-dimensionality telemetry data out of the box. This allows an engineer to:
- Formulate and test hypotheses in real-time by slicing and dicing the data (e.g., “Are all errors coming from a specific user, a certain version of the mobile app, or a single Kubernetes node?”).
- Follow a request’s entire journey via a distributed trace to pinpoint the exact service and operation that is failing or slow.
- Correlate metrics, logs, and traces from a specific point in time to get a complete picture of a failure.
It changes debugging from a code-and-deploy cycle to an interactive data analysis process.
2. Explain how the three pillars of observability—logs, metrics, and traces—are interconnected.
The three pillars are most powerful when they are seamlessly correlated. This is typically achieved through shared context, primarily a **trace ID** and **span ID**.
- **From Trace to Logs:** Each log event emitted during an operation should be tagged with the current `traceId` and `spanId`. This allows you to jump from a specific span in a distributed trace directly to the detailed, high-context logs for that exact piece of work.
- **From Metric to Trace:** Many modern monitoring systems can link metrics back to exemplary traces. If you see a spike in a latency metric for an endpoint, you can click on it to see examples of the slow traces that contributed to that spike.
- **From Log to Metric:** Metrics can be generated from logs (log-based metrics). For example, a logging platform can count the number of log lines with `level=”error”` to create an error rate metric.
3. What is high-cardinality and why is it essential for observability?
Cardinality** is the number of unique values for a dimension. **High cardinality** refers to dimensions with a vast number of unique values, such as `user_id`, `request_id`, `container_id`, or `customer_tenant_id`.
It is essential for observability because it allows you to ask detailed, specific questions and pinpoint the exact source of a problem. Without high-cardinality dimensions, you can only see broad aggregates (e.g., “the overall error rate is 5%”). With them, you can break down the problem and discover that the errors are only happening for `user_id: 123` on `app_version: 2.5.1` in the `us-east-1` region. This is the key to debugging complex, real-world issues.
4. What is the difference between instrumentation and monitoring?
- Instrumentation** is the act of adding code to your application to generate telemetry data (logs, metrics, traces). This can be done manually by a developer or automatically by agents and libraries. It’s the process of making a system *emmit* signals about its internal state.
- Monitoring** is the act of *collecting, processing, and analyzing* that telemetry data. It’s the process of observing the signals emitted by the instrumented system to understand its health and performance.
5. Compare the RED (Rate, Errors, Duration) and USE (Utilization, Saturation, Errors) monitoring methods.
- RED Method: A black-box, service-oriented method. It measures the external experience of a service: `Rate` (requests per second), `Errors` (number of failing requests), and `Duration` (request latency). It’s excellent for monitoring user-facing services and setting SLOs.
- USE Method: A white-box, resource-oriented method. It’s for monitoring the health of a system’s physical or logical resources (like a CPU, a disk, or a connection pool). It measures: `Utilization` (% of time the resource is busy), `Saturation` (how much extra work is queued up), and `Errors` (the number of errors from the resource).
They are complementary: USE helps you find a resource bottleneck, while RED tells you if that bottleneck is actually impacting users.
Read Brendan Gregg’s article on the USE Method.Distributed Tracing
6. What is the W3C Trace Context specification and why is it important?
The W3C Trace Context is a standard that defines a set of universal HTTP headers (`traceparent` and `tracestate`) for propagating trace context information across service boundaries. Before this standard, different tracing vendors used their own proprietary headers, which meant that traces would break if a request passed through services instrumented with different tools.
By providing a standard format, it ensures seamless trace context propagation in a polyglot, multi-vendor environment, which is crucial for modern distributed systems.
Read the W3C Trace Context specification.7. Compare head-based and tail-based sampling strategies for traces.
- Head-based Sampling: The decision to keep or drop a trace is made at the very beginning, when the root span is created. For example, you might sample 10% of all incoming requests. This is simple and requires minimal infrastructure. However, it means you might randomly discard traces that later turn out to be important (e.g., a trace that contains an error).
- Tail-based Sampling: The decision to keep or drop a trace is made *after* all the spans in the trace have been completed. The system collects all spans for all traces and then uses policies to decide which ones to persist (e.g., “keep all traces with errors” or “keep all traces with a latency over 500ms”). This provides much more valuable data but requires a more complex and expensive collection pipeline that can buffer and analyze all trace data.
8. What is the difference between automatic and manual instrumentation for tracing? What are the trade-offs?
- Automatic Instrumentation: Uses agents or libraries that automatically instrument common frameworks (like HTTP clients, web servers, and database drivers) by patching them at runtime. It’s easy to set up and provides broad coverage with minimal code changes. However, it can lack application-specific context.
- Manual Instrumentation: The developer explicitly adds code to start and stop spans, add attributes, and record events. This provides much richer, business-specific context to your traces but requires more developer effort.
A good strategy is to start with auto-instrumentation to get broad coverage and then add manual instrumentation for critical business logic.
9. What is “baggage” in the context of distributed tracing?
Baggage is contextual information that is propagated along with the trace context (`traceId`, `spanId`) across service boundaries. While the trace context is for the observability system, baggage is for the *application* itself. It allows you to pass key-value pairs from an upstream service to all of its downstream services within the context of a single request. For example, you could pass a `feature-flag-override` or `is-premium-user` attribute as baggage, and downstream services could use this information to alter their behavior.
10. How would you analyze a trace to find the root cause of high latency?
You would look at the trace’s waterfall diagram. The key is to identify the **critical path**, which is the sequence of spans that represents the longest path of execution. You look for:
- A single long span: This indicates the problem is within that specific service or operation.
- A sequence of many small, serial spans: This indicates a “chatty” architecture where the latency is caused by the cumulative network overhead of many sequential calls.
- Gaps between spans: A significant time gap between the end of one span and the start of the next can indicate time spent in a queue, network latency, or a part of the code that is not properly instrumented.
Metrics & Measurement
11. Explain the difference between Histograms and Summaries in Prometheus. When would you use each?
- A **Histogram** samples observations into configurable buckets (e.g., `le=”0.5″` for less than 500ms). It allows for powerful server-side aggregation. You can sum histograms from multiple instances to create a globally accurate histogram and then calculate percentiles using `histogram_quantile()`. This is the generally recommended type for measuring latency.
- A **Summary** calculates streaming percentiles on the client side and exposes them directly (e.g., `quantile=”0.99″`). It is less resource-intensive on the server, but you **cannot** accurately aggregate pre-calculated percentiles. Averaging the 99th percentile from two instances does not give you the true 99th percentile of the combined service.
12. Why is averaging percentiles a mathematical error?
Averaging percentiles is incorrect because percentiles are points in a distribution, not linear values. For example, if Server A has a p99 of 100ms and Server B has a p99 of 1000ms, the combined p99 is not necessarily 550ms. If Server A handles 99% of the traffic, the true p99 will be very close to 100ms. If Server B handles most of the traffic, the true p99 will be closer to 1000ms. You need the raw data or histogram buckets to calculate a correct aggregated percentile.
13. What challenges does a pull-based metrics model (like Prometheus) face in a serverless (FaaS) environment?
The primary challenge is that serverless functions are ephemeral and do not have a stable, long-lived IP address that a Prometheus server can scrape. By the time Prometheus tries to pull metrics, the function instance may have already shut down.
The common solution is to use a push-based model. The function runs its code and then pushes its metrics to an intermediary service, like the **Prometheus Pushgateway** or a vendor’s metrics gateway (e.g., StatsD), which can then be scraped by Prometheus.
SLOs & Alerting
14. How do you choose good Service Level Indicators (SLIs)?
A good SLI should be a direct measure of user happiness and should reflect the reliability of your service from the user’s perspective. Key characteristics of a good SLI are:
- User-centric: It should measure something the user cares about (e.g., availability, latency, correctness).
- Understandable: The metric should be simple to understand for both technical and non-technical stakeholders.
- Reliably Measurable: You must be able to collect the data for it accurately and consistently.
- Controllable: Your team must be able to take action to improve the SLI.
For example, a good SLI for an API might be “the proportion of HTTP requests that complete successfully in under 500ms.”
Read the SRE book chapter on SLOs.15. What is an “error budget” and how does it drive engineering decisions?
An error budget is the inverse of your SLO. If your availability SLO is 99.9%, your error budget is the 0.1% of the time that your service is allowed to be unavailable without breaching its objective.
It drives decisions by providing a data-driven framework for balancing reliability with feature velocity.
- If a team has used very little of their error budget, they can feel confident in taking risks, such as rolling out new features faster.
- If a team has exhausted their error budget for the period, it’s a clear signal that all new feature development should be halted, and the team’s priority must shift to improving reliability and stability.
16. Why is alerting on SLO burn rate better than alerting on the raw SLO percentage?
Alerting on the raw SLO percentage (e.g., “alert when availability drops below 99.9%”) is problematic because it’s a slow-moving metric. You might only breach your monthly SLO in the last hour of the month, giving you no time to react.
Alerting on **burn rate** is much more effective. It measures how quickly you are consuming your error budget. You can set up multi-window alerts:
- A fast-burn alert (e.g., “alert if we are burning through our monthly budget at a rate that will exhaust it in 24 hours”) for major outages.
- A slow-burn alert (e.g., “alert if we are on track to exhaust the budget in 7 days”) for persistent, low-grade problems.
This approach gives you a timely and proportional response to different kinds of failures.
17. What is alert fatigue?
Alert fatigue is the desensitization that occurs when operators are exposed to a large number of frequent, non-actionable, or irrelevant alerts (“noise”). This leads to alerts being ignored or muted, which can cause critical, actionable alerts to be missed. It’s a major cause of burnout and incidents in on-call rotations. Combatting it involves making every alert meaningful, actionable, and tied to user-facing symptoms.
Modern Tooling & Advanced Concepts
18. What is the role of the OpenTelemetry Collector?
The **OTel Collector** is a vendor-agnostic proxy that can receive, process, and export telemetry data. It’s a flexible “pipeline” for your observability data.
Instead of having every application instance export its data directly to a backend (which couples them to that backend), they can all send their data to the Collector. The Collector can then be configured to:
- Process data: Add attributes, filter out noise, or perform tail-based sampling.
- Export data: Send the processed data to one or more backends simultaneously (e.g., send traces to Jaeger and metrics to Prometheus).
19. What is eBPF and how is it changing the observability landscape?
eBPF (extended Berkeley Packet Filter)** is a Linux kernel technology that allows you to run sandboxed programs directly in the kernel without changing kernel source code. For observability, this is revolutionary because it allows tools to collect extremely detailed telemetry data (network traffic, system calls, application performance metrics) with very low overhead, directly from the source of truth—the kernel itself.
It’s changing the landscape by enabling a new class of tools that can provide deep insights into application and system performance **without requiring any code instrumentation**. This simplifies the process of making complex systems observable.
Read the introduction to eBPF.20. How does a service mesh contribute to observability?
A service mesh (like Istio or Linkerd) works by injecting a “sidecar” proxy next to each of your service instances. All network traffic to and from your service flows through this proxy. This provides a powerful, centralized point to automatically collect observability data without any changes to your application code.
The sidecar can automatically generate:
- Metrics: Detailed RED metrics for all inbound and outbound traffic.
- Traces: It can start, stop, and propagate