Observability

Question 1

What is observability (practical definition)?

Answer 1

The ability to understand what’s happening inside a system using external signals (logs, metrics, traces), enabling fast diagnosis, impact assessment, and prevention of recurrence.

Question 2

Why is observability important in production?

Answer 2

It reduces time to detect and repair (MTTR), helps isolate root cause, measures user impact, and supports reliable operation of services.

Question 3

What are the three pillars of observability?

Answer 3

Logs (discrete events), Metrics (numeric time-series), Traces (end-to-end request flow across components).

Question 4

Why is relying on only one pillar (e.g., logs) insufficient?

Answer 4

Each pillar answers different questions; correlating logs + metrics + traces is needed to detect issues, localize root causes, and understand performance across services.

Question 5

What does MTTR stand for?

Answer 5

Mean Time To Recovery (or Repair): average time to restore service after an incident.

Question 6

What are logs?

Answer 6

Discrete records of events that happened at specific times, often used for debugging, auditing, and providing context.

Question 7

How are logs different from debugging with print statements?

Answer 7

Logs are production signals designed for consistency, filtering, and correlation; print statements are ad-hoc and not suitable for scalable production diagnosis.

Question 8

What should ERROR logs represent?

Answer 8

Failures that require action—unexpected exceptions, failed operations, or degraded functionality.

Question 9

What should WARN logs represent?

Answer 9

Recoverable anomalies or suspicious conditions—retries, fallbacks, partial failures, or unusual but non-fatal states.

Question 10

What should INFO logs represent?

Answer 10

Meaningful high-level events or state transitions (not noise): e.g., request completed, job processed, significant business events.

Question 11

When should DEBUG logs be used?

Answer 11

Detailed diagnostic information helpful when troubleshooting; typically disabled in production by default.

Question 12

What is structured logging?

Answer 12

Logging in a machine-parseable format with key-value fields (e.g., userId=…, status=…, traceId=…), enabling powerful querying and aggregation.

Question 13

Why is structured logging better than plain text logs?

Answer 13

It enables filtering, grouping, dashboards, and faster investigations (e.g., query all logs with traceId=abc123).

Question 14

What is a correlation ID / trace ID?

Answer 14

A unique identifier attached to a request and propagated across services so all related logs/traces can be linked.

Question 15

Why are correlation IDs valuable in microservices?

Answer 15

They allow you to follow a single request across multiple services to pinpoint where failures or latency occur.

Question 16

What are common things you should NOT log?

Answer 16

Passwords, JWT tokens, API keys/secrets, sensitive PII, or large payloads that cause log explosion.

Question 17

What is log explosion and why is it bad?

Answer 17

Excessive logging that increases cost and noise, slows debugging, and can impact performance/storage.

Question 18

What is a good rule for logging at INFO level?

Answer 18

Keep INFO logs meaningful and high-signal; avoid noisy per-line/per-loop logs.

Question 19

What are metrics?

Answer 19

Numeric measurements collected over time (time-series) used for monitoring trends, performance, and alerting.

Question 20

What does the RED method stand for?

Answer 20

Rate (traffic), Errors (error rate), Duration (latency), typically for request/endpoint monitoring.

Question 21

What does the USE method stand for?

Answer 21

Utilization, Saturation, Errors—commonly for resource monitoring (CPU, memory, queues, pools).

Question 22

What are the ‘golden signals’ of monitoring?

Answer 22

Latency, Traffic, Errors, Saturation.

Question 23

Why are averages often misleading for latency?

Answer 23

Averages hide tail latency; a small % of very slow requests can harm users without changing the mean much.

Question 24

What are latency percentiles (p50, p95, p99)?

Answer 24

p50 is typical request latency; p95/p99 show tail latency experienced by the slowest 5%/1% of requests.

Question 25

Why monitor p95/p99 latency?

Answer 25

They capture tail behavior, reveal queuing and bottlenecks, and correlate better with user experience under load.

Question 26

Name a few key application metrics for an API.

Answer 26

Request rate (RPS), error rate (4xx/5xx), latency (p95/p99), timeouts, retries, and saturation indicators (thread pool, DB pool).

Question 27

Name a few key infrastructure/resource metrics.

Answer 27

CPU utilization, memory usage, disk I/O, network I/O, container restarts, and resource saturation signals.

Question 28

What is saturation (in USE/golden signals)?

Answer 28

A measure of how ‘full’ a resource is (e.g., queue depth, thread pool exhaustion, DB connection pool at max).

Question 29

What is the goal of alerting?

Answer 29

Notify humans only when action is needed; alerts should be actionable and tied to user impact.

Question 30

What is an actionable alert?

Answer 30

An alert that clearly states what’s broken, impact, and what to check first, ideally linking to relevant dashboards/log queries.

Question 31

Why are ‘CPU > 80%’ alerts often poor?

Answer 31

They can be noisy and not directly tied to user impact; user-impacting alerts should focus on error rate/latency/saturation.

Question 32

Give examples of good alert conditions for an API.

Answer 32

5xx error rate > X% for Y minutes; p95 latency > threshold for Z minutes; queue depth increasing steadily; DB pool exhaustion.

Question 33

What is anomaly detection in alerting?

Answer 33

Alerting based on deviations from normal baseline patterns rather than fixed thresholds.

Question 34

What is an SLO?

Answer 34

Service Level Objective: a target level of reliability/performance (e.g., 99.9% success rate, p95 < 300ms).

Question 35

What is an SLI?

Answer 35

Service Level Indicator: the measured metric used to evaluate an SLO (e.g., success rate, latency percentile).

Question 36

What is an error budget?

Answer 36

The allowable amount of unreliability in a period; used to balance shipping features vs stability.

Question 37

What is distributed tracing?

Answer 37

Tracking a request across services/components using a trace composed of spans, showing timing and dependencies.

Question 38

What is a span?

Answer 38

A timed operation within a trace (e.g., DB query, HTTP call) that records duration and metadata.

Question 39

Why are traces useful for latency debugging?

Answer 39

They show where time is spent across services, revealing bottlenecks like slow DB calls or downstream latency.

Question 40

What must be in place for effective tracing across services?

Answer 40

Context propagation (traceId/correlationId) across service boundaries and consistent instrumentation.

Question 41

During an incident, what is the #1 priority?

Answer 41

Mitigate user impact and restore service first; root cause comes after stabilization.

Question 42

What are the typical incident phases?

Answer 42

Detect → Triage → Stabilize/Mitigate → Diagnose → Fix → Verify → Postmortem/Prevention.

Question 43

What does triage mean in incident response?

Answer 43

Assess scope and impact: affected users, endpoints, regions, error rates, and urgency.

Question 44

Give examples of stabilization/mitigation actions.

Answer 44

Rollback deployment, disable feature via flag, scale up, apply rate limiting, enable fallback, isolate failing dependency.

Question 45

What is a postmortem and why do it?

Answer 45

A blameless analysis after an incident to identify root cause and create action items to prevent recurrence.

Question 46

What are good postmortem action items?

Answer 46

Add tests, improve alerts/dashboards, fix code, adjust timeouts/retries, update runbooks, and refine deployment safety.

Question 47

How do you approach a spike in 500 errors?

Answer 47

Check recent deploys; identify affected endpoints; inspect logs with correlation IDs; review metrics for DB pool/timeouts; use traces to find failing dependency; mitigate (rollback/flag) then fix.

Question 48

How do you approach p95 latency increasing?

Answer 48

Check saturation (CPU/mem/thread pools/DB pools), DB slow queries, GC pressure, downstream latency/retries; use traces to locate bottleneck; mitigate and optimize.

Question 49

How do you debug intermittent failures?

Answer 49

Look for timeouts, retries storms, race conditions, unstable dependencies; add metrics for retries/timeouts; improve logging correlation; consider circuit breakers/backoff.

Question 50

What’s a retry storm?

Answer 50

When many retries amplify load and failures, causing cascading degradation across services.

Question 51

Why are timeouts important in service-to-service calls?

Answer 51

Without timeouts, requests can hang, tie up threads, cause queueing, and trigger cascades under partial failures.

Question 52

What is a circuit breaker pattern?

Answer 52

A resilience pattern that stops calling a failing dependency temporarily to prevent cascading failures and allow recovery.

Question 53

Why is backoff important for retries?

Answer 53

It reduces immediate pressure on a failing dependency and avoids synchronized retry spikes.

Question 54

What is a good logging standard for requests?

Answer 54

Log request start/end or completion with status, latency, and correlation ID; avoid logging sensitive payloads.

Question 55

Why avoid logging full request/response bodies by default?

Answer 55

Security/PII risk, cost, and noise; prefer targeted logging and sampling when necessary.

Question 56

What’s a good first step when investigating a production issue?

Answer 56

Start with metrics to classify the problem: errors vs latency vs saturation; then drill down with logs/traces.

Question 57

How do you decide if the issue is app, DB, network, or downstream?

Answer 57

Correlate metrics (DB pool, error spikes), logs (exception types), and traces (which span is slow/failing) to isolate the component.

Question 58

What should dashboards enable during an incident?

Answer 58

Fast narrowing: error rate, latency percentiles, traffic, saturation by service/endpoint, plus links to logs and traces.

Question 59

In AWS, what’s a common place to view logs and metrics?

Answer 59

CloudWatch Logs for logs, CloudWatch Metrics/Alarms for metrics and alerting (plus dashboards).

Question 60

Name common tracing approaches/tools (conceptually).

Answer 60

Distributed tracing via OpenTelemetry instrumentation; backends like AWS X-Ray, Jaeger, Zipkin, or vendor platforms.

Question 61

What’s a strong one-liner describing your production debugging approach?

Answer 61

“Metrics first to classify the failure, then logs with correlation IDs for context, and traces to locate bottlenecks across services—mitigate first, then root cause and prevention.”

Question 62

What makes a ‘good’ alert in one sentence?

Answer 62

An alert that is user-impacting, actionable, and points you to the next diagnostic step (dashboard/log query).