Managing Observability Data at the Edge with the OpenTelemetry Collector and OTTL - Evan Bradley

00:00

all right Hello Seattle how we

00:02

doing all right good just make sure

00:04

you're

00:06

awake okay so a little bit about me uh

00:08

I'm Evan I help maintain both The otel

00:11

Collector and OTL both of which I've

00:13

been contributing to for roughly about

00:15

two years now and uh before we get

00:18

started I want to quickly go over what

00:20

we're going to cover today so I'm going

00:21

to give a quick intro to The otel

00:23

Collector I know we've talked about a

00:24

little bit but uh we're to go a little

00:26

bit deeper so I just want to make sure

00:27

everyone's on the same page and then I'm

00:29

going to cover what OTL is after that

00:32

I'm going to introduce a hypothetical

00:35

situation that I've uh devised that

00:38

we're going to solve using OTL and a

00:39

handful of popular components uh and I'm

00:42

hoping that by the end of this you're

00:43

going to have an idea of how you could

00:45

apply these components to your own

00:47

setups so first uh for anyone who isn't

00:50

familiar The Collector s is a middleware

00:53

in your observability pipelines and can

00:55

process and Route data as it flows

00:57

through um the collector's flexibility

01:00

comes from its internal pipeline model

01:02

which is composed of different

01:04

components that you can string together

01:06

and data comes into the collector

01:08

through receivers you'll see that on the

01:09

left there which translate an external

01:12

format into the collector's internal uh

01:15

pipeline data format and the data stays

01:18

in this internal format until it leaves

01:19

the collector uh after receivers the

01:23

data will go through processors which

01:25

can Reda filter enrich Etc and then

01:28

finally it leaves the collector at expor

01:30

which translate that into an external

01:32

format and send it somewhere else for

01:34

example to an ootl endpoint uh something

01:37

really cool though is that you can

01:39

connect pipelines together with

01:41

components that are called connectors

01:42

and you can do all sorts of things with

01:44

connectors but the thing that I'm going

01:45

to focus on today is just going to be

01:47

routing

01:49

data so a quick intro to OTL OTL is an

01:52

easyto read language that allows reading

01:54

from and writing to data in place as it

01:57

flows through the collector it's

01:59

steadily becoming the standard way to

02:00

work with data in The Collector since

02:01

it's flexible and offers a common

02:04

configuration format across a whole

02:05

bunch of different components that use

02:07

it um and since all collector components

02:10

work with this internal data format you

02:12

can use OTL without having to worry

02:14

about the input or output format of the

02:16

data and at the bottom here you can see

02:19

an example OTL statement so this just

02:23

basically sets an attribute where some

02:26

name matches a regular expression so

02:28

hopefully pretty straightforward easy to

02:29

read

02:31

moving into the case study uh let's

02:33

consider a company uh Global telescopes

02:36

that is a telescope manufacturing and

02:38

sales conglomerate that sells to

02:40

organizations worldwide and to serve its

02:42

customers where they are it has

02:44

applications that are hosted in regions

02:45

around the world uh but this comes with

02:48

some complexity and to deal with local

02:50

data privacy laws and scale their

02:52

Telemetry processing the applications

02:54

send their data to sidecar collectors

02:56

that filter out extra data and redact it

02:59

uh before before it leaves the region

03:01

after it leaves the region uh the data

03:03

is then collected into a centralized

03:04

collector where they can take actions

03:06

that need to be handled companywide or

03:08

otherwise require a single collector

03:10

instance and for this example let's say

03:12

that the Gateway collector needs to do

03:14

two things uh first as conglomerates due

03:17

the global telescopes company just

03:19

acquired another company that is being

03:21

added to its consumer retail arm and the

03:23

new teams haven't yet fully integrated

03:25

with the rest of the company so the data

03:27

from their apps needs to be routed into

03:29

their old back end

03:30

and then for the rest of the data that

03:32

is routed into the company wide backend

03:35

it needs to be sampled to cut down on

03:36

costs and they want to do tail sampling

03:39

to uh do this that needs to be added

03:42

into a single collector to work properly

03:44

um so if you look at this setup here

03:47

this is a uh basically a pipeline

03:51

diagram model for a single region uh for

03:54

what this would look like uh inside of

03:55

the collectors that we've configured so

03:58

basically data comes in through OTP is

04:00

processed in the side car in the filter

04:02

and transform processors and then is

04:03

sent on to the second collector which

04:06

determines where the data needs to go

04:08

using the routing connector and then

04:10

finally samples with the tail sampling

04:12

processor for the data that ends up in

04:14

the companywide back end diving into it

04:17

let's start with the side car so first

04:21

we want to use the filter processor to

04:22

filter out a bunch of data uh sometimes

04:25

the developers leak their log level at a

04:26

little higher setting than they should

04:28

and these logs are pretty noisy so we

04:29

want to filter them out or uh as Jamie

04:31

was talking about earlier maybe they

04:33

have some extra span events uh from

04:35

their instrumentation that we want to

04:36

get rid of um regardless um the filter

04:38

processor can do the job so for this

04:40

example specifically uh collector log

04:43

levels are stored as integers and lower

04:46

numbers mean nois your logs so we want

04:48

to cut out anything that's at debug

04:50

level or lower uh however we still want

04:52

to keep info and error level logs so

04:54

those are going to be passed through uh

04:56

and with that we've cut out quite a bit

04:57

of data so we can now move on to

05:00

um additional processing on the logs so

05:02

we want to parse them now the logs are

05:04

sent to the collector in Json but we

05:06

want them in a structured format so we

05:08

need to parse them here and before we

05:11

dive too deep into this I do want to

05:12

call out OT Tail's cache feature which

05:15

basically serves as a way to store

05:17

temporary data inside of a map while

05:19

you're working with something so the

05:21

cache starts out empty before the first

05:23

statement there and then after the very

05:24

last statement is going to be cleared

05:26

once again before the next payload comes

05:28

in so purely temporary and only is used

05:31

to hold data while we're doing these

05:33

computations so what we're going to do

05:35

is we're going to parse the body put it

05:36

in the cache and then we're going to

05:38

take the pars attributes map and parse

05:40

log body out and then put them on the

05:42

structured log and at the result of this

05:44

we get a structured

05:46

log with that we can now redact some

05:49

stuff out of it so let's say we have a

05:50

purchase ID and this is considered pii

05:53

so we want to redact this before sending

05:55

it to our back end and to make things

05:57

interesting let's say that we also need

05:59

to handle data deletion requests so in

06:02

order to do that we would need to be

06:04

able to locate the data inside of our

06:05

back end given some customer input let's

06:07

say they give us the purchase ID and we

06:09

want to be able to find the equivalent

06:10

data for that uh we could hash it let's

06:13

say using a shot 256 hash so first uh

06:18

I'm not a lawyer so don't take this as

06:19

advice for how to handle pii it's just

06:21

illustrative um but what we could do

06:24

here is we could U basically take the

06:26

purchase ID out of an attribute uh match

06:28

it with a regular expression and then

06:30

use the match group to uh as input to a

06:34

shot 256 function and then replace the

06:36

attribute on there um and the cool thing

06:38

about this is that that shot 256

06:40

function is actually like an OTL

06:41

function it's not hardcoded into the

06:44

replace pattern function at all you

06:45

could replace it with whatever hashing

06:47

uh algorithm that you wanted and

06:49

additionally that whole function

06:50

argument is optional so if you didn't

06:52

pass that in it would just use the

06:53

capture group without uh hashing it at

06:55

all and um but if you you know obviously

06:58

want it you can have it there too

07:00

um so with all the data reacted the data

07:02

can now safely leave the region and we

07:04

can move on to the second collector here

07:06

which has the pipelines that are covered

07:09

uh are highlighted in this diagram um so

07:12

we're going to route and then we're

07:12

going to sample uh let's start with

07:14

routing and then after we route if it

07:17

goes to the retail pipeline no more

07:19

processing is needed that team will

07:20

handle it so we can quickly cover that

07:23

uh we can do that with the routing

07:24

connector so the routing connector also

07:26

supports OTL and we have this pretty

07:29

pretty easy all of our applications are

07:31

already annotated with what branch of

07:33

the company they apply to so we can just

07:36

check if it's anything that starts with

07:37

retail goes to the retail back end we're

07:39

done anything else goes to the

07:40

companywide back end and with that we're

07:42

done with the retail pipeline so we can

07:44

move on to uh our companywide pipeline

07:48

that is mostly for industrial telescopes

07:51

um and again we need to do sampling

07:53

there so we're going to use this tail

07:56

sampling policy and this checks does a

07:59

handful of uh checks using OTL before

08:03

determining whether to sample it or not

08:05

uh if any of these conditions matches

08:07

then the trace is sampled if none of

08:10

them match then it's dropped so first we

08:12

want to make sure that if there's an

08:14

error we know about it so we're going to

08:15

sample all errors uh then we really like

08:19

to be paid so anything from the payment

08:21

service is definitely sampled uh and

08:24

everything else we do a pretty

08:26

rudimentary uh sampling algorithm where

08:29

we get the heximal representation of our

08:31

random Trace ID and then check if it

08:34

starts with one of the 16 heximal

08:36

characters in this case a um and that

08:39

gives us a one in 16 chance of data

08:41

being sampled so with this we've cut

08:44

down the data that we have uh we're good

08:45

to go the data is then forwarded to the

08:47

company wi back end and this is the

08:49

resting config you can see here that

08:51

it's pretty simple everything's

08:53

configured uh using like the same kind

08:55

of configuration format it's all ootl I

08:58

do want to call out that

09:00

this is not a production ready config

09:02

there's a couple of like recommended

09:04

options that I've left out of here just

09:06

to make the config a bit shorter but

09:08

this should hopefully give you an idea

09:09

that you can use a variety of different

09:10

components and they're all kind of

09:12

configured in the same sort of way and

09:15

that you can more or less kind of tweak

09:17

and query how you

09:19

like uh finally I do want to cover some

09:22

some new features here that we've added

09:24

recently uh first the one I or two these

09:27

first two I've covered uh earlier uh the

09:29

first one's optional parameters so for

09:32

example for this pars key value function

09:35

uh we have a default

09:36

delimiter and users might want to

09:39

override that so they're given the

09:40

option to set their own delimiter if

09:42

they want similarly with functions as

09:44

parameters you can pass in a function if

09:46

uh your function accepts that if it

09:48

matches the function signature uh not

09:50

common but useful for complex use cases

09:53

and then finally we've added 15 new

09:56

functions so far this year and we're

09:58

continually adding more so if there's

10:00

functional that you feel like was

10:01

missing prior uh check back because it

10:04

might be there now going forward uh

10:06

looking a little bit ahead we're going

10:08

to be looking at how to handle list

10:09

values that's something that is kind of

10:11

a bit of a gap right now we'd like to

10:13

improve uh and then we're going to be

10:14

looking at trying to stabilize HL in the

10:16

transform processor uh looking ahead to

10:19

hopefully consolidating uh basically

10:21

that list of processors possibly a few

10:22

more um into the transform processor

10:25

just make it easier for users to

10:27

determine which processor to do

10:30

um and here are some dock links if you

10:32

want to scan or type those in but um

10:35

I'll leave this up but we're done I

10:36

think we're ready for questions

10:44

now right um okay so that is I'm

10:47

definitely not the expert on this but

10:49

there are um persist there are

10:52

extensions that allow you to persist

10:53

data in the pipelines on disk or on a

10:57

store like S3 or something like that so

10:59

that could be one option second you

11:01

would also want in your pipeline some

11:02

retry logic so so you have a collector

11:05

crash you know it's got some data in its

11:06

pipeline but you've persisted that it's

11:08

safe you're going to be still sending

11:09

data to it you'll want retries for when

11:11

the collector comes back

11:13

up so okay uh that that's a tough

11:17

question and I'm definitely not

11:18

qualified to answer it but my

11:20

understanding of how that would work is

11:21

I would probably recommend sharting you

11:23

check the trace ID and then you use that

11:25

to route to a particular collector I I

11:29

dressy is that sound like a good

11:34

okay cool

11:37

okay

11:39

thanks um so for here was the

11:41

flexibility but I would recommend to do

11:42

it as close to source as possible so the

11:44

reason that I had this in the example

11:46

here um and I'm sorry I forgot to repeat

11:47

the question the question is is there a

11:49

reason that you would want to Hash um

11:52

pii in the collectors opposed to as

11:54

close the application as possible um and

11:56

again I would do definitely do that as

11:58

close as possible

12:00

and the um yeah there's no reason to do

12:04

it any further but the reason I did it

12:05

here was because if you were in the same

12:07

re usually Pi you don't want to leave

12:09

the region right so if you put a

12:11

collector as close as your application

12:12

as possible you can be sure it won't

12:14

leave the region

12:15

unredacted a good question um I'm happy

12:17

you asked actually because I didn't get

12:19

or I didn't take time to call it out um

12:21

so the question is is there any good way

12:22

to test OTL um and the answer is yes

12:24

Tyler actually just added some debug

12:26

logging so if you turn on debug logging

12:28

The Collector it'll print out debug logs

12:30

that show the state of the data before

12:33

and after an execution uh we're also and

12:36

this is being reviewed right now I think

12:37

it's actually being pretty it's pretty

12:38

close to being merged uh we're adding

12:40

traces as well to the transform

12:41

processor