Three months into my first platform engineering role, I got paged at 2 AM because checkout was timing out. The metrics dashboard showed nothing unusual. CPU normal. Memory fine. Database responding. But users couldn't complete purchases, and I had no idea where to look next.
That's when I learned the difference between monitoring and observability the hard way.
Most companies start with monitoring â Prometheus scraping metrics, maybe some error logs piped to a file. It works until it doesn't. When something breaks in a way you didn't anticipate, you're flying blind. You know something is wrong, but not what or where.
Here's what I wish someone had told me back then: you probably don't need full observability everywhere. But you need it for the 3-5 critical paths that make or break your product. And in 2026, there's a better way to implement it than locking yourself into a vendor's proprietary instrumentation from day one.
This guide is what I would have written for myself three years ago. It's vendor-neutral, OpenTelemetry-first, and honest about where costs hide. I'll show you the observability pyramid â what to instrument first, what to add later, and what's overkill for most teams. You'll see real telemetry costs at different scales, and you'll walk away with working code examples you can drop into your services today.
Monitoring vs Observability: Why the Distinction Matters
Monitoring answers questions you know to ask. Observability lets you ask questions you didn't know you needed to answer.
When I set up monitoring, I'm defining thresholds: "Alert me if response time exceeds 500ms" or "Page someone if error rate hits 5%." I've pre-decided what matters. Monitoring is perfect for known failure modes â disk filling up, memory leak patterns you've seen before, traffic spikes that breach capacity. These are known unknowns.
Observability is for everything else. It's the middle of an incident and you need to figure out why that one specific user's checkout request failed while everyone else succeeded. You can't pre-define a metric for that. You need to reconstruct the entire request path, correlate logs across six services, and understand what made this request different.
The three pillars make this possible:
Metrics aggregate thousands of requests into numbers you can trend. They're cheap to store and query. I use them for dashboards and alerts.
Logs capture event-level context â stack traces, user IDs, request payloads. They're expensive at scale but essential for debugging specific failures.
Traces show a request's journey through a distributed system. Every service it touched, every database query, every cache lookup, with precise timing. This is where observability earns its keep.
The difference matters because they require different infrastructure, different costs, and different mental models. Monitoring is a subset of observability. You can monitor without observing, but you can't observe without collecting telemetry data that lets you reconstruct arbitrary request paths after the fact.
Most teams need monitoring for everything and observability for critical paths. Not the other way around.
The Three Pillars of Observability Explained
Let me show you what these actually look like in practice, because the theory doesn't help when you're trying to debug production.
Metrics give me the "health dashboard" view. I track the RED method for every service: Rate (requests per second), Errors (failure rate), Duration (latency percentiles). If I see p99 latency spike from 200ms to 2 seconds at 3 AM, metrics tell me that it happened and when. They don't tell me why.
I also use the USE method for resources: Utilization (% busy), Saturation (queue depth), Errors. This catches infrastructure problems â a database connection pool maxing out, disk I/O saturation.
Metrics are aggregated time-series data. I'm losing individual request details in exchange for efficient storage. A single metric point might represent 10,000 requests, averaged or percentile-bucketed. Prometheus stores this efficiently; it's why I can retain metrics for weeks without exploding my storage bill.
Logs are the narrative. They're what I grep through to understand what happened in a specific case. Structured logging is non-negotiable here â JSON logs with consistent field names so I can query them.
// Bad: unstructured logs
console.log(`User checkout failed`);
// Good: structured logging with context
logger.error('Checkout failed', {
userId: req.user.id,
cartId: req.body.cartId,
paymentProvider: 'stripe',
errorCode: 'card_declined',
traceId: req.traceId
});
That traceId is what connects logs to traces. When I'm debugging, I find the trace showing the slow request, grab the trace ID, then query logs for that same ID to see the detailed error context.
Traces are the map. Distributed tracing shows me the full request lifecycle across service boundaries. Each "span" represents one operation â an HTTP call, a database query, a cache lookup. Spans have parent-child relationships that reconstruct the call graph.
Here's what a trace shows me that metrics and logs can't: the checkout request called the payment service (120ms), which called Stripe's API (300ms), and before calling Stripe it validated the cart by calling the inventory service (800ms). That 800ms validation is my bottleneck, not the payment API I assumed was slow.
These three work together. Metrics alert me. Traces narrow down where the problem is. Logs give me the detailed context to understand why.
Why OpenTelemetry is the Foundation (2026 Standard)
In 2021, every observability vendor wanted you to use their SDK, their agents, their instrumentation library. Switch vendors? Rip out all your instrumentation and start over. I've done this twice. It's painful.
OpenTelemetry (OTel) changed that. It's a CNCF project that provides vendor-neutral telemetry collection. I instrument once with OTel, and the telemetry can flow to any backend that supports the OTel protocol â Prometheus, Jaeger, Datadog, Honeycomb, whatever.
By 2026, OTel is the de facto standard. Every major observability vendor supports it. If you're starting fresh today, there's no reason to use proprietary instrumentation unless you have a very specific vendor feature you need.
Here's the minimal OTel setup for a Node.js Express app:
// tracing.js
const { NodeSDK } = require('@opentelemetry/sdk-node');
const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
const { Resource } = require('@opentelemetry/resources');
const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
const sdk = new NodeSDK({
resource: new Resource({
[SemanticResourceAttributes.SERVICE_NAME]: 'checkout-api',
[SemanticResourceAttributes.SERVICE_VERSION]: '1.2.0',
}),
traceExporter: new OTLPTraceExporter({
url: process.env.OTEL_EXPORTER_OTLP_ENDPOINT || 'http://localhost:4318/v1/traces',
}),
instrumentations: [getNodeAutoInstrumentations()],
});
sdk.start();
process.on('SIGTERM', () => {
sdk.shutdown()
.then(() => console.log('Tracing terminated'))
.catch((error) => console.log('Error terminating tracing', error))
.finally(() => process.exit(0));
});
module.exports = sdk;
Then in your app entry point:
// index.js
require('./tracing'); // Must be first, before other imports
const express = require('express');
const app = express();
app.get('/checkout', async (req, res) => {
const result = await processCheckout(req.body);
res.json(result);
});
app.listen(3000, () => console.log('Server running on :3000'));
That's it. Auto-instrumentation handles Express routes, HTTP clients, database queries, Redis calls â all the common libraries. OTel wraps them transparently and emits trace spans.
The OTEL_EXPORTER_OTLP_ENDPOINT environment variable points to your backend. Change the URL, same code works with a different vendor. That's the entire value proposition.
For Go services:
// tracing.go
package main
import (
"context"
"log"
"go.opentelemetry.io/otel"
"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp"
"go.opentelemetry.io/otel/sdk/resource"
sdktrace "go.opentelemetry.io/otel/sdk/trace"
semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
)
func initTracer() func() {
ctx := context.Background()
res, _ := resource.New(ctx, resource.WithAttributes(
semconv.ServiceName("payment-api"),
semconv.ServiceVersion("2.1.0"),
))
exporter, _ := otlptracehttp.New(ctx)
tp := sdktrace.NewTracerProvider(
sdktrace.WithBatcher(exporter),
sdktrace.WithResource(res),
)
otel.SetTracerProvider(tp)
return func() { tp.Shutdown(ctx) }
}
The Observability Implementation Pyramid
Here's the mistake I see teams make: they instrument everything at once. Every service, every endpoint, full distributed tracing from day one. Six weeks later, the observability bill is $8,000/month and the team is drowning in trace data they don't use.
I think about observability like the testing pyramid. You need a solid base of cheap, broad coverage, and a narrow top of expensive, targeted instrumentation.
Level 1 (Foundation): Golden Signals for Critical User Journeys
Start here. Identify the 3-5 user flows that directly generate revenue or represent core product value. For an e-commerce app: search, add-to-cart, checkout, order status. For a SaaS dashboard: login, data load, primary action, report generation.
Instrument only these paths with:
- RED metrics (rate, errors, duration) at every service boundary
- Structured logs with trace IDs for errors
- Basic distributed tracing to see cross-service latency
This covers maybe 20% of your codebase but 80% of your business risk.
Level 2 (Middle): Service Dependencies and Error Context
Once the golden paths are stable, expand to:
- Service dependency mapping (who calls whom)
- Error tracking with full context (not just "500 error" but why)
- Database query performance tracking
- Cache hit/miss rates
You're still not tracing every request â maybe 10% sampling on non-critical paths.
Level 3 (Top): Full Instrumentation
Now you can add the expensive stuff:
- Full distributed tracing with high sampling rates (>50%)
- Continuous profiling (CPU, memory, heap snapshots)
- Real user monitoring (RUM) with frontend traces
- Custom business metrics (inventory levels, conversion funnels)
Most teams never need Level 3 for most services. The pyramid keeps costs manageable.
Instrumenting Your First Service: A Step-by-Step Guide
Say I have an Express.js checkout API. It accepts a POST with cart items, validates inventory, calls a payment service, and returns an order ID.
Step 1: Add structured logging
// logger.js
const winston = require('winston');
const logger = winston.createLogger({
level: process.env.LOG_LEVEL || 'info',
format: winston.format.combine(winston.format.timestamp(), winston.format.json()),
transports: [new winston.transports.Console()]
});
module.exports = logger;
Step 2: Initialize OTel (covered above)
Step 3: Add golden signal metrics
// metrics.js
const { MeterProvider } = require('@opentelemetry/sdk-metrics');
const { PrometheusExporter } = require('@opentelemetry/exporter-prometheus');
const exporter = new PrometheusExporter({});
const meterProvider = new MeterProvider({ readers: [exporter] });
const meter = meterProvider.getMeter('checkout-api');
const checkoutCounter = meter.createCounter('checkout_requests_total', { description: 'Total checkout requests' });
const checkoutDuration = meter.createHistogram('checkout_duration_seconds', { description: 'Checkout request duration' });
module.exports = { checkoutCounter, checkoutDuration };
Step 4: Instrument the checkout endpoint
// routes/checkout.js
const { trace } = require('@opentelemetry/api');
router.post('/checkout', async (req, res) => {
const startTime = Date.now();
const tracer = trace.getTracer('checkout-api');
const span = tracer.startSpan('checkout.process');
try {
const { cartId, userId, paymentMethod } = req.body;
span.setAttribute('user.id', userId);
span.setAttribute('cart.id', cartId);
logger.info('Checkout initiated', { userId, cartId, traceId: span.spanContext().traceId });
const inventorySpan = tracer.startSpan('checkout.validate_inventory', { parent: span });
const inventory = await validateInventory(cartId);
inventorySpan.end();
if (!inventory.available) throw new Error('Items unavailable');
const paymentSpan = tracer.startSpan('checkout.process_payment', { parent: span });
const payment = await processPayment(userId, paymentMethod, inventory.total);
paymentSpan.setAttribute('payment.provider', 'stripe');
paymentSpan.end();
const orderId = await createOrder(userId, cartId, payment.id);
span.setStatus({ code: 1 });
span.end();
const duration = (Date.now() - startTime) / 1000;
checkoutCounter.add(1, { status: 'success' });
checkoutDuration.record(duration, { status: 'success' });
logger.info('Checkout completed', { userId, orderId, duration, traceId: span.spanContext().traceId });
res.json({ orderId, status: 'success' });
} catch (error) {
span.recordException(error);
span.setStatus({ code: 2, message: error.message });
span.end();
checkoutCounter.add(1, { status: 'error' });
logger.error('Checkout failed', { error: error.message, traceId: span.spanContext().traceId });
res.status(500).json({ error: 'Checkout failed' });
}
});
When checkout breaks: error rate spikes in metrics â trace the slow request â grep logs by trace ID for the detailed error. That's Level 1 observability. Enough to debug 90% of production issues.
Distributed Tracing: Understanding Request Flow
A trace represents one request's journey. Each span is one operation. Spans have a shared trace ID, unique span ID, parent span ID, timing, attributes, and events.
When Service A calls Service B, OTel propagates the trace context in HTTP headers (traceparent). Service B creates child spans under the same trace ID. This reconstructs request flow across service boundaries.
Head-based sampling: Decide at the start of the request. Simple â 10% sampling configured at SDK level.
const sdk = new NodeSDK({
sampler: new TraceIdRatioBasedSampler(0.1), // 10%
});
Tail-based sampling: Collect all spans in memory, decide at the end. More powerful â keep 100% of errors and slow requests, sample 1% of normal traffic. Requires OpenTelemetry Collector with tail sampling processor.
I start with head-based at 10-20% for non-critical services, 100% for golden paths. Move to tail-based if costs become an issue.
Choosing an Observability Backend
Open Source Stack (Grafana LGTM)
- Loki for logs, Grafana for visualization, Tempo for traces, Mimir for metrics
- Self-hosted: you pay compute, not data volume
- I ran a 12-service stack on 3 EC2 m6i.xlarge instances: ~$600/month
- Tradeoff: you maintain upgrades, scaling, reliability
Commercial SaaS
- Datadog: Full-featured, expensive. At 10M spans/day, expect $2-3K/month.
- New Relic: Usage-based pricing. Strong APM features.
- Honeycomb: Trace-first UI. Cheaper at high scale with selective sending.
- Grafana Cloud: Managed LGTM. Pay for ingestion, cheaper than Datadog.
Cloud-Native
- AWS X-Ray + CloudWatch, GCP Cloud Trace, Azure Monitor â good enough for single-cloud shops, less powerful than dedicated platforms.
| Backend Type | Cost at 10K req/min | Cost at 100K req/min | Ops Burden | Query Power |
|---|---|---|---|---|
| Self-hosted LGTM | $600/mo | $2K/mo | High | Medium |
| Datadog | $500/mo | $4K+/mo | None | High |
| Grafana Cloud | $300/mo | $2K/mo | Low | Medium |
| Honeycomb | $400/mo | $2.5K/mo | None | Very High |
| AWS X-Ray | $200/mo | $1.5K/mo | Low | Low |
Estimates assume 10% trace sampling, 30-day retention, moderate cardinality.
The Real Cost of Observability
10 services, 10,000 req/min, ~8 spans/request, 10% sampling.
Data volume: 480K spans/hour â 700GB/month.
Costs at 10K req/min:
- Self-hosted S3: $16/month storage
- Grafana Cloud: $350/month
- Datadog: ~$900/month
Costs at 100K req/min (7TB/month):
- Self-hosted: ~$2K/month
- Grafana Cloud: $3,500/month
- Datadog: $9K+/month
Add metrics and logs: costs increase 30-50%.
Cost optimization levers:
- Sampling: Drop from 10% to 5%, halve trace costs. Tail-based sampling: keep 100% of errors, 1% of normal.
- Retention: 7 days hot, 30 days cold. Saves 50% on storage.
- Filtering: Skip health checks, internal admin endpoints, non-critical services.
- Cardinality: Don't put high-cardinality attributes (user IDs) on every span.
I've seen teams go from $12K/month to $3K/month with tail-based sampling + 14-day retention. The observability value didn't decrease.
Query Patterns: Getting Value from Telemetry Data
Finding slow requests (TraceQL in Grafana Tempo):
{ duration > 2s && service.name="checkout-api" }
Correlating errors (LogQL in Loki):
{service="checkout-api"} |= "error" | json | traceId="abc123"
PromQL alert â error rate over 5%:
rate(checkout_requests_total{status="error"}[5m]) > 0.05
SLO dashboard â 99.5% of requests under 1s:
sum(rate(checkout_duration_seconds_bucket{le="1.0"}[5m])) / sum(rate(checkout_duration_seconds_count[5m]))
These patterns are the difference between "we have observability" and "we use observability to prevent incidents."
Observability in Practice: Real-World Scenarios
Scenario: A slow API endpoint
Customer reports slow order history. Metrics show p99 latency for /orders jumped from 300ms to 4 seconds.
Query: { duration > 3s && http.route="/orders" }. Waterfall reveals inventory-service taking 3.8s. Inventory traces show DB query at 3.7s. Logs: WARN: DB connection pool exhausted (queue: 47).
Pool size was 10. Scale to 30, redeploy. Latency drops to 300ms in 2 minutes.
Investigation time: 8 minutes. Without observability: an hour of guessing.
Team Adoption: Cultural and Organizational Aspects
Observability isn't just tooling. It's a shift in how your team debugs production.
Make telemetry accessible to all engineers, not just ops. If a backend engineer needs to ask the platform team to query traces, they won't.
Integrate into on-call runbooks: "Check the trace dashboard, filter by errors, grab a trace ID, query logs for that ID."
Train on query patterns: a 1-hour workshop on 5 queries covers 80% of use cases. You don't need TraceQL mastery.
The shift from "let's add more logs" to "let's check the traces first" takes 3-6 months.
Common Implementation Mistakes
Mistake 1: Instrumenting everything from day one. You get 10M spans/day and no idea which traces matter. Start with 3-5 golden paths.
Mistake 2: Ignoring sampling until costs explode. Teams go live at 100% sampling, then face a $15K/month bill. Implement sampling from day one.
Mistake 3: Treating observability as an ops-only problem. If only ops can query telemetry, engineers revert to old habits.
Mistake 4: Alert fatigue from poor signal-to-noise. 50 endpoints à 50 alerts = 200 pages/week, 95% false positives. Focus alerts on golden signals.
Mistake 5: Not correlating the three pillars. Traces without trace IDs in logs are half as useful.
Measuring Observability Maturity
Level 1: Basic Monitoring â Metrics dashboards, centralized logs, threshold alerts. Debugging takes hours.
Level 2: Distributed Tracing + Correlation â Distributed tracing, trace IDs in logs, reconstructable request paths. Debugging takes 15-30 minutes.
Level 3: Proactive Observability â SLO-driven alerts, tail-based sampling, anomaly detection before user reports. Observability is the default debugging tool.
Most teams are at Level 1. Level 2 is where real ROI kicks in. Level 3 is aspirational for high-scale teams. The progression takes 12-18 months, and that's fine.
That's observability in 2026. Start with OpenTelemetry, instrument your golden paths first, pick a backend that fits your budget and ops capacity, and expand from there.
You don't need full observability everywhere. You need it where it counts, and you need to use it as your default debugging tool. That's the shift that makes the investment worth it.
Tested environment: Node.js 22 LTS, OpenTelemetry SDK 1.25, Ubuntu 24.04