Observability
OTel architecture: one SDK, four signals, one wire format
Crux How OpenTelemetry unifies logs, metrics, traces, and profiles through one collector pipeline — and how the trace-id becomes the join key that lets all four signals answer one query.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the skyBefore OpenTelemetry, wiring a new service into your observability stack meant four separate SDK installs, four collector configs, and four query languages. Switching vendors meant re-instrumenting everything. OTel collapsed all four signal types into one SDK and one wire protocol. Switching backends is now a config change.
The full stack architecture
An OpenTelemetry-based production stack looks the same in 2026 regardless of vendor.
Application layer. Every service runs one OTel SDK (or OTel auto-instrumentation) that emits four signals:
- Logs — high-cardinality event records with a trace-id field attached.
- Metrics — low-cardinality counters and histograms; histogram exemplars carry the trace-id of a representative request.
- Traces — per-request causal graphs as OTLP span batches.
- Profiles — function-level CPU and allocation samples; each sample carries the trace-id of the active request.
Every signal carries the same trace-id when applicable, so cross-signal joins are possible at query time.
Collector layer. A local OTel Collector agent (DaemonSet on every node, or sidecar per pod) receives all four signal types via OTLP gRPC (localhost:4317). It batches and ships to a gateway tier. The gateway tier performs:
- Tail sampling on traces — buffer spans until the trace closes, then keep 100% of errors and slow traces plus a small random baseline.
- Metric aggregation.
- Optional PII scrubbing on log fields and profile symbol filtering.
- Routing signals to one or more backends.
Backend layer. Any combination of: Tempo (traces), Prometheus / Mimir (metrics), Loki (logs), Pyroscope (profiles) for the self-hosted Grafana stack; or Datadog, Honeycomb, New Relic for vendor-managed. OTLP is accepted by every major backend as of 2024–2026. Switching the backend is a collector exporter config change; the application code is unchanged.
| Signal | Cardinality | Query pattern | Typical backend |
|---|---|---|---|
| Logs | High | ”error contains X” | Loki, OpenSearch |
| Metrics | Low | Dashboards + alerts | Prometheus, Mimir |
| Traces | Medium | Per-request drill | Tempo, Jaeger, Honeycomb |
| Profiles | Medium | Flame graph drill | Pyroscope, Parca |
A concrete OTel collector config
The Node checkout service ships all four signals via a single Collector:
# otel-collector.yaml (DaemonSet on every node)
receivers:
otlp:
protocols:
grpc:
endpoint: 0.0.0.0:4317
processors:
batch:
send_batch_size: 512
timeout: 10s
tail_sampling:
policies:
- { name: errors, type: status_code, status_code: { status_codes: [ERROR] } }
- { name: slow, type: latency, latency: { threshold_ms: 2000 } }
- { name: rest, type: probabilistic, probabilistic: { sampling_percentage: 5 } }
exporters:
otlphttp/tempo: { endpoint: http://tempo:4318 }
prometheusremotewrite: { endpoint: http://prometheus:9090/api/v1/write }
loki: { endpoint: http://loki:3100/loki/api/v1/push }
otlphttp/pyroscope: { endpoint: http://pyroscope:4040/ingest }
service:
pipelines:
traces: { receivers: [otlp], processors: [tail_sampling, batch], exporters: [otlphttp/tempo] }
metrics: { receivers: [otlp], processors: [batch], exporters: [prometheusremotewrite] }
logs: { receivers: [otlp], processors: [batch], exporters: [loki] }
profiles: { receivers: [otlp], processors: [batch], exporters: [otlphttp/pyroscope] }Switching from this self-hosted Grafana stack to Datadog means changing the four exporter endpoint URLs. The service code is unchanged.
Why tail sampling requires a separate processor
Head sampling decides at trace start whether to keep the trace. If it keeps only 5% randomly, then 95% of errors and slow traces are discarded — lost exactly when you need them.
Tail sampling buffers all spans in memory until the trace closes (or a decision window of ~10 seconds expires), then decides. The canonical production policy:
- Keep 100% of traces with any ERROR span.
- Keep 100% of traces with total duration above the slow threshold (e.g. 2 s).
- Keep a random 5% baseline of everything else.
This drops trace volume 90%+ while preserving every interesting trace.
Why this works
Head + tail together: the SDK head-samples at 100% (all spans are created and emitted), and the tail-sampling collector processor is the only thing that discards. This avoids the case where a head-sampled-away trace later becomes an error — if you never emitted the spans, you cannot retrieve them after the fact.
The trace-id as load-bearing join key
Trace-id is the identifier that makes the four-signal stack feel like one tool rather than four silos.
- Logs emit it as a structured field (
trace_id: "abc123"). - Metrics emit it as histogram exemplars (a concrete trace-id attached to a bucket sample).
- Traces are keyed by it natively.
- Profiles attach it to each stack sample.
With consistent trace-id propagation (W3C traceparent through every service call), a query for “everything related to this specific request” returns log entries, metric exemplars, the full trace tree, and profile samples — all joined by the same hex string. Without it the four signals are four silos and the engineer manually correlates by timestamp + service name + best guess.
The 128-bit randomness ensures global uniqueness. The W3C standardisation ensures it survives vendor and language transitions. The OTel SDKs handle propagation automatically across HTTP, gRPC, queues, and async calls.
Order the steps
Completed
Order the OTel data flow for one HTTP request through one service:
- 1 Browser fetch generates traceparent, sends it with the request
- 2 Service receives request; OTel SDK extracts traceparent, creates a span
- 3 Span attributes populated (http.route, http.response.status_code, custom attrs)
- 4 SDK emits the span to the local Collector via OTLP gRPC
- 5 Collector batches spans, applies tail sampling, ships to backend
- 6 Profile sample fires; SDK attaches current trace-id to the stack sample
- 7 Metric counters increment; histogram records duration; exemplar attaches trace-id
Quiz
Completed
Which signal carries the trace-id that lets logs, metrics, traces, and profiles join at query time?
Heads-up Metrics carry trace-ids as exemplars, but the trace-id originates from the trace pillar, not the metric pillar.
Heads-up Logs receive trace-id from context; they do not originate it.
Heads-up Profiles consume trace-id from context; they do not originate it.
Quiz
Completed
Why is the tail_sampling processor needed in addition to head sampling at the SDK?
Heads-up Tail sampling is more expensive — it buffers spans in memory. The reason to use it is correctness, not speed.
Heads-up Head sampling works with OTel; the issue is that it discards traces before knowing if they are interesting.
Heads-up Tail sampling actually uses more memory (buffering all spans). The benefit is keeping the right traces, not saving memory.
- Trace head + tail sampling typical
- 5% baseline + 100% errors / slow
- Tail sampling decision window
- 10–30 seconds
- Trace volume reduction from tail sampling
- 90%+
- OTel profile signal status (2026)
- Release candidate (Q1 2026)
- Logs volume reduction (mature orgs, 5 years)
- 40–60%
- Collector DaemonSet model
- 1 per node, 4 pipelines
- 01Explain why the trace-id is the load-bearing identifier across all four observability signals.
- 02What is the role of the OTel Collector's tail_sampling processor, and what is the canonical production policy?
- 03How does switching observability vendors work in an OTel-first setup compared to a pre-OTel setup?
Recap
An OpenTelemetry production stack is three layers: application code emitting four signals via one OTel SDK, a local Collector agent applying tail sampling and routing, and interchangeable backends receiving OTLP. The trace-id propagated by the W3C traceparent header is the join key that lets all four signals answer one query — without it, the stack is four disconnected silos. Tail sampling requires buffering spans until trace close to preserve 100% of errors and slow traces while discarding 90%+ of baseline volume; head sampling alone discards interesting traces before knowing they are interesting. By 2026 the OTel profile signal reached release candidate, completing the four-signal story and making profiling as portable as metrics or traces. Switching backends in an OTel-first setup is a collector config change, not a re-instrumentation project.
Connected lessons
builds on
appears again in202
- Federation and lookahead: batching beyond DataLoadermiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- The journey of a request: seven stops from socket to responsejunior
- Accept and parse: from kernel queue to a typed requestmiddle
- Routing and middleware: choosing what runs, and in what ordermiddle
- Handler and response: from business logic to bytes on the wiremiddle
- Streaming and backpressure: when the client reads slower than you writesenior
- Timeouts and tail latency: budgets, deadlines, and the fan-out trapsenior
- Middleware and DI: the two patterns that shape every backendjunior
- Writing middleware: signatures, next(), and the three framework modelsmiddle
- Inversion of control: how dependencies reach a classmiddle
- DI scopes and lifecycles: singleton, request, transientmiddle
- DI as a testing seam: fakes, mocks, and the boundary that matterssenior
- DI containers in production: resolution graphs, circular deps, and when not tosenior
- Blocking vs non-blocking I/O: two ways to waitjunior
- The event loop: one thread, ordered phasesmiddle
- What blocks the loop: CPU work and sync callsmiddle
- Offloading CPU work: worker threads and the libuv poolmiddle
- Backpressure and bounded concurrencysenior
- Throughput under load: tail latency and saturationsenior
- Why pool: the cost of creating a connectionjunior
- Pool sizing: why bigger is not fastermiddle
- Acquisition and timeouts: the wait queue is the real latency dialmiddle
- Retry strategies: backoff, jitter, and thundering herdmiddle
- Observability, production failures, and global-scale designsenior
- Tasks, microtasks, and scheduler.yield()middle
- Timer accuracy, throttling, and idle workmiddle
- Node.js event loop: phases, nextTick, and loop lagsenior
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- Production observability: LoAF, INP, and the full attack surfacesenior
- Hidden classes, transition trees, and memory layoutmiddle
- V8 in production: isolates, pointer compression, and real failuressenior
- What workers are and why they existjunior
- Web worker mechanics: dedicated, shared, and OffscreenCanvasmiddle
- Structured clone and transferablesmiddle
- SharedArrayBuffer, Atomics, and cross-origin isolationsenior
- Worker pools, Comlink, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- LCP: four phases, one dominant costmiddle
- INP: input delay, processing, presentationmiddle
- Lab vs field: why the two disagree and how to use eachmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- JSONB, arrays, and when a side table winsmiddle
- Schema integrity: deferral, versioning, and production failure modessenior
- What an index is and how it speeds up queriesjunior
- The leading-column rule and composite index designmiddle
- Partial, expression, and covering indexesmiddle
- Index types: GIN, GiST, BRIN, Hash, Bloom, and HOT updatesmiddle
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- Index design exercise: full-text search strategysenior
- EXPLAIN and execution plans: what the planner decides and whyjunior
- Scan types: Seq, Index, Bitmap, Index-Onlymiddle
- Join algorithms and the row-estimate cascademiddle
- pg_statistic, ANALYZE, and production observabilitymiddle
- Extended statistics: fixing correlated-column estimate failuressenior
- Plan cache, cost-constant tuning, and planner internalssenior
- Production failure modes and plan stabilitysenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Migration failure taxonomy and production disciplinesenior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Where data fetching happens — and why it decides LCPjunior
- React Server Components and Suspense streamingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- Bits on the wirejunior
- Latency mathmiddle
- Bufferbloat and congestionsenior
- The physical frontiersenior
- The IP envelopejunior
- Reading the IP headermiddle
- Sequence numbers and connection statemiddle
- Flow control and congestion controlmiddle
- BBR, production observability, and beyond TCPsenior
- What TLS does and why it existsjunior
- Key schedule, SNI, ALPN, and extensionssenior
- 0-RTT defenses, ECH, hybrid PQ, and production TLSsenior
- CDN: putting content next doorjunior
- Anycast and GeoDNS: routing to the nearest edgemiddle
- Tiered cache and Cache-Controlmiddle
- Vary header and cache keysmiddle
- Stale-while-revalidate and cache stampedesenior
- Edge workers and edge-side compositionsenior
- CDN operations and observabilitysenior
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket vs SSE vs long-polling: choosing the right transportmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Balancing algorithms: round-robin to power-of-two-choicesmiddle
- L4 vs L7 load balancing and client-IP preservationmiddle
- Health checks, connection draining, and slow startmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- QUIC streams and head-of-line blockingjunior
- Integrated handshake and 1-RTTmiddle
- Connection IDs and network migrationmiddle
- Loss detection and congestion controlmiddle
- 0-RTT resumption and packet encryptionsenior
- Deployment tradeoffs and CPU costsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- The twelve layers: one URL, seven actorsjunior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Critical render path and Core Web Vitalsmiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- Why profile first: measure where time actually goesjunior
- Amdahl''''s law and self-time: the ceiling on every speedup you can shipmiddle
- The measurement loop: microbench, macrobench, prod profile, observer effectmiddle
- Reading flame graphs: shapes, per-language profilers, and the 60-second scanmiddle
- Statistical baselines: why one run is not a measurementmiddle
- Profiler history and microbenchmark pitfalls: Knuth to GWPsenior
- Hardware counters, cold-start profiles, and profile securitysenior
- Continuous profiling at scale: costs, CI gates, trace correlation, and anti-patternssenior
- What makes a hot path: symptom vs causejunior
- Five shapes of hotspot: CPU, alloc, cache, lock, syscallmiddle
- Reading parent and child chains: where to apply the fixmiddle
- JIT deopt, the fix-and-verify loop, and PR-time profilingmiddle
- Hardware counters and Intel TMA: sub-category diagnosissenior
- False sharing and native-bridge hot pathssenior
- Hot paths in production: security, tail latency, and tooling lineagesenior
- Memory hierarchy: why the same O(N) loop can be 17x slowerjunior
- Row-major vs column-major: access order and the 9x gapjunior
- Branch prediction and branchless codemiddle
- Hardware prefetcher, TLB, and memory-level parallelismsenior
- GC basics: what the runtime taxes you forjunior
- GC algorithms: generational, concurrent, and per-runtimemiddle
- GC tradeoffs: pause, throughput, heap — and object poolingmiddle
- GC tuning: pacing, heap shape, and allocation observabilitymiddle
- GC internals: tri-color invariant, write barriers, and per-runtime deep-divessenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- N+1: one logical operation, many round-tripsjunior
- Fix families: JOIN, IN, preload, and DataLoadermiddle
- Detecting N+1: query logs, APM traces, and CI gatesmiddle
- DataLoader: batching across resolver treesmiddle
- Cross-protocol N+1: HTTP fan-out and Redis MGETmiddle
- N+1 at scale: pool exhaustion, plan changes, and denormalisationsenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- What a bundle actually costs: download, parse, compile, executejunior
- Core Web Vitals: LCP, INP, and CLSmiddle
- Code splitting: route-level, component-level, vendor splittingmiddle
- Tree shaking and compression: removing what you don''''t usemiddle
- Third-party scripts: the silent budget killermiddle
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior