Distributed Observability

Monthly error budget: 100% - 99.95% = 0.05% allowed failure rate. In minutes: 30 days x 24h x 60min = 43,200 minutes/month x 0.0005 = 21.6 minutes of downtime allowed. In transactions: 4,000,000 x 0.0005 = 2,000 failed transactions/month. Deployment impact: 4M / 43,200 min = ~92.6 req/min baseline. At peak with 5,556 req/min x 0.02% failure x 30 min = ~33 failed transactions. Budget consumed = 33/2,000 = 1.65% — very acceptable. Policy at 80% budget consumed: halt non-critical deployments, require SRE approval for any change, escalate to engineering leadership. Latency SLO: define availability as "% of requests completing under 500ms AND returning 2xx" — this is stricter. A deployment that causes 600ms latency for 10 minutes may technically not increase error rate but still burns availability budget.

4 structural causes: (1) GC pauses — JVM stop-the-world GC freezes all request processing for 500ms–3s, affecting whichever requests are in-flight during the pause. (2) Head-of-line blocking — a slow request at the front of a connection queue blocks all behind it (HTTP/1.1 without multiplexing, or a single-threaded event loop bottleneck). (3) Hot partition — 1% of keys hash to an overloaded shard, causing those requests to queue. (4) Synchronous external call on a code path hit rarely — 1% of requests trigger an optional third-party lookup (address validation, fraud check) that blocks. Tracing: a 4000ms trace shows one span consuming 3950ms (the culprit) vs the 50ms trace where that span is absent or takes 5ms. Hot shard fix: identify the hot key prefix from slow query logs, redistribute with a composite shard key. p99 compounding: P(at least one p99 in 10 calls) = 1 - (1-0.01)^10 = 1 - 0.904 = 9.6%. Nearly 1 in 10 user sessions hits a slow call — far more impactful than p99 alone suggests. Design SLOs on p99 for this reason.

8 metrics: (1) payments_total (counter, labels: status, currency, gateway) (2) payment_duration_seconds (histogram, labels: status, gateway) (3) fraud_api_duration_seconds (histogram) (4) fraud_api_errors_total (counter, labels: error_type) (5) db_connections_active (gauge) (6) db_connections_waiting (gauge) (7) payment_amount_usd (histogram, buckets: 1,10,50,100,500,1000+) (8) payment_gateway_errors_total (counter, labels: error_code, gateway). Trace spans: ROOT: "payment.process" (server) — attrs: payment_id, amount, currency. CHILD: "fraud.check" (client) — attrs: fraud_provider, fraud_score, fraud_decision. CHILD: "gateway.charge" (client) — attrs: gateway_name, charge_id, response_code. CHILD: "db.insert_transaction" (client) — attrs: db_name, table, rows_affected. Sampling strategy: use tail-based sampling (collect all spans, sample at export). Rules: if root span status=error OR duration > 1000ms → sample 100%. Else sample 1%. This captures all incidents while reducing storage by ~80%.

Error budget: 100% - 99.9% = 0.1%. Monthly minutes: 30 x 24 x 60 = 43,200 min x 0.001 = 43.2 minutes budget. Fast burn rate (1 hour to exhaust): to burn 43.2 min in 60 min, error rate must be 43.2/60 = 72% of "normal max allowed" error rate. Actually: burn rate = (actual_error_rate / allowed_error_rate). 30x burn rate at 0.1% SLO = 30 x 0.1% = 3% error rate threshold. 6x burn = 6 x 0.1% = 0.6% error rate. 3x burn = 3 x 0.1% = 0.3% error rate. Dual window necessity: long window (1h) catches sustained burns but fires too late for a sudden 100% outage started 55 min ago. Short window (5min) confirms the burn is ongoing right now, not a historical artifact. Both must exceed threshold simultaneously — this prevents false alarms from brief spikes that already resolved. Alert fatigue fix: add a maintenance window silence label (alertmanager inhibition rules) that mutes medium-burn alerts when a maintenance annotation is present in Grafana.