In the modern world of software development, the topic of distributed solutions implementation has become quite common, due to the flexibility it brings to big companies. The downside is that when developing such systems, especially when it comes to many teams, global design problems may not be obvious and lead to a slowdown in the development process or even problems with the location of errors or degradation of overall system performance. In addition, the timely reaction to system degradation is complicated by the distributed nature of the architecture, while manually configuring rules for reporting problematic situations can be time-consuming and still incomplete, automatic detection of possible system anomalies will give engineers (especially Software Reliability Engineers) the focus on problems. For this reason, applications that can dynamically analyze the system for the problems have great potential. Currently, the topic of using telemetry for system analysis is actively studied and gaining traction, so further research is valuable. The aim of the work is to theoretically and practically prove the possibility of using telemetry for the analysis of a distributed information system, detection of harmful architectural practices and anomalous events. To do this, firstly, a detailed overview of the problems related to the topic and the feasibility of using telemetry is provided, the next section briefly describes the history of the monitoring systems development and the key points of the latest OpenTelemetry standard. The main part includes an explanation of the approach used to collect and process telemetry, a reasoning behind the usage of Neo4j as a data storage solution, a practical overview of graph theory algorithms that help in the analysis of the collected data, and a description outlining how the PCA algorithm is employed to detect unusual situations in the whole system instead of individual metrics. The results provide an example of using the software presented in combination with Neo4j Bloom to visualize and analyze the data collected over a period of several hours from the OpenTelemetry Demo test system. The last section contains additional remarks on the results of the study.
In recent years, distributed architectures such as microservices have received a lot of
attention and popularity due to the opportunities that the architectural pattern opens up in terms
of optimization, technology stack diversification, and more [
The topic of system observability is far from new. In the world of distributed systems, Google
is considered a pioneer in the study of the topic of observability. In 2010 Google engineers
published paper called “Dapper – a Large-Scale Distributed Systems Tracing Infrastructure”
[
Also, at that time, quite a lot of applications helping in a system monitoring had already
been presented on the market, for this reason, one of the tasks was to maintain compatibility
with them, so the latest standard provides a specification that describes approaches for metrics
collection, conventional descriptions of processes such as interaction using the HTTP protocol,
RPC [
One of the main notions introduced in the standards is telemetry – a set of metrics, logs
and, most importantly, traces [
The idea of using telemetry to improve the structure of a system can be traced back to several
research papers released in recent years [
The proposed analytical system receives a constant stream of telemetry data, aggregates it by updating the system model in the form of a directed graph stored in a graph database management system (DBMS). After that, the model can be used for analysis, searching for structural anti-patterns.
Constructing the system’s graph model involves processing traces of requests (figure 2). Once they are received, the process creates or updates information about available resources (services, storages, proxies) and stores information about changes in the storage. operations available in the service (operation) and individual sub-requests (hop).
To build a system graph for further analysis, the data storage must have the following information: • resources are interacting components of the system. A resource must have a name, type (service, storage), date of creation and last use; • operations are defined by one resource and called by other ones; have statistics on the number of calls, errors, the last date of creation, use; • calls – connections between a resource and an operation. They has the date of creation, last use, type (synchronous, asynchronous), number of errors.
Neo4j was chosen as the storage of the system model since it physically stores data as a graph,
which makes it possible to use graph traversal algorithms to find bad practices in the system,
namely:
• clustering coeficient – measures the degree of vertex connectivity; will help show service
groups in the system [
The graph DBMS structure is presented in figure 3.
Data storage has two types of nodes: resources and operations. Resources are related to the operations with the “Provides” relation. To show calls, the “Calls” relationship is used, which aggregates statistics for all identical calls from one resource to an operation of another resource.
The ETL process begins with instrumentation of the system – installation of modules for
popular libraries that will be collecting the telemetry, manual changes in service code to
provide more details of a particular process in the system. Later the telemetry is sent to the
OpenTelemetry Collector [
The problem of finding and analyzing anomalies is quite common in computer science and often varies depending on the domain in which the analysis takes place. For example, when reading data from sensors for further analysis, it is important to find and correct outliers. When analyzing a business process, it is sometimes necessary to find unusual events to analyze what led to them. In the domain of software reliability engineering, the topic of mean time to detect is one of the most important indicators, because if the problem is found earlier, it is fixed earlier.
Analysis of anomalous changes is already present at least in New Relic, however, it is present
at the level of individual services, not the entire system. Although there is not enough data
to confirm this, the platform analyzes metrics, including key metrics, using the Exponential
Smoothing [
An anomaly is an abnormal situation, essentially defined as a strong diference between
expected and actual measurements. Therefore, the process of finding an anomaly includes the
process of predicting the value of a certain measurement based on historical data [
The problem of finding anomalies in multivariate datasets is quite popular and critical because
little to no measurements are univariate [
Algorithms are divided into the following training approaches: • unsupervised – the dataset used for model training does not include labels indicating anomalous situations; • semi-supervised – the dataset has anomalous situations labeled; • supervised – the whole dataset is labeled, the least commonly used type of algorithm as it’s dificult to get fully labeled data.
Due to the dificulty of obtaining labeled data, unsupervised models are the most popular,
while it’s also possible to add the possibility of providing feedback and correction loop when
using models for semi-labeled datasets. As part of this work, unsupervised model is reviewed.
While “None of the unsupervised methods is statistically better than the others” [
Essentially, PCA converts the initial correlated variables into new linear combinations called principal components. The first principal component is defined in such a way that it explains the largest part of the variance of the data. Each successive principal component is chosen in such a way that it is orthogonal to the previous ones and explains the residual variance as possible.
In the case of identifying anomalies in the system, we are interested in the following information: • calls – number of incoming, outgoing, and internal calls (synchronous and asynchronous when using a queue or other message brokers) with and without errors; • duration – time spent processing requests.
To obtain the necessary data in the form of metrics, as well as to group collected data, you need to use a special connector component that transforms traces into call and duration metrics. Thus, the collector receives information about the request via the Open Telemetry Protocol (OTLP) then groups, extracts the necessary metrics to later export it.
Metrics for a certain period are collected for each of the components (resources) of the system. Metrics have diferent types of values, for example, the number of calls has the sum type that is a counter of certain events for a period and in this case is a monotonous sequence, because the number of calls never decreases.
It is also important to note that the metrics are returned as a delta (the value of aggregationTemporality is 1) and not a cumulative value, because we are interested in the number of calls in a certain period, not the absolute value. Each metric can have multiple points that represent diferent attribute-defined dimensions (dimensions are customizable), so separate counters have been set up for diferent request types (span.kind) and statuses (status.code).
Calls duration metric snippet: { "name": "duration", "unit": "ms", "histogram": { "dataPoints": [ { "attributes": [ { "key": "service.name", "value": {
"stringValue": "quoteservice" "timeUnixNano": "1685509058790174364", "asDouble": 0.006665, "spanId": "ade03fcb73f18048", "traceId": "7f6cf387237813d1f3891b5f21b09be2" } } } ] }, ], "aggregationTemporality": 1
If we take the call duration metric, then in this case we have a histogram, which is a certain aggregation of values and their distribution over intervals used for easier visualization.
But in this form, we will not be able to use this data. Firstly, all the metrics for individual services are separated and converted to time series to later be combined based on timestamp.
From the intermediate results, you can clearly see the correlation between the diferent metrics of the system components (figure 5), which is confirmed by a correlation map (figure 6).
The process of identifying anomalies occurs by splitting the data sample into two periods, the ifrst is used to train the PCA statistical model, the second is used to compare with the predicted values obtained from the model and, estimate the error for all and specific metrics.
The OpenTelemetry Demo project was used as a test system [27], which is specially designed for testing applications working with telemetry. This is a distributed system that has components built with diferent technologies that is automatically loaded using load generator service.
After some time of running the whole system the graph database has the following data (figure 7). You can see that the graph has many nodes with the type of operation (orange circles), as well as slightly fewer services (purple circles). Between them you can see the “calls” and “provides” relationships depicted as arrows.
To simplify the graph, a function from the APOC library is used [28] for Neo4j in order to visualize the graph projection and show service dependencies (figure 8).
Snippet of a virtual relationship visualization query: MATCH (r1:Resource)-[:Calls]->(:Operation)<-[:Provides]-(r2:Resource) RETURN r1, r2, apoc.create.vRelationship(r1,’DependsOn’,{}, r2) as rel
In figure 8 you can see the dependence of the checkout service on many others. To confirm
this, let’s use an application called Neo4j Bloom to visualize Local Clustering Coeficient [
In the resulting diagram (figure 9) clusters are marked with distinct colors, the dependence of services on peers is indicated with their size. From the diagram it’s also clear that the checkout service has many dependencies. This way, you can quickly analyze the architecture of the application, and clearly see parts that must be refactored to prevent a situation where the whole application halts due to a single bottleneck component.
To detect anomalies, a few hours long time interval was chosen. It has been processed using the PCA algorithm and after receiving errors for each of the time points, a visual analysis can be performed for the presence of spikes in the error values (figure 10).
As you can see in the plot, between 6:50 a.m. and 7 a.m., there were some changes that led to a relatively big error. From the error graph for each of the features, it can be seen that feature 44 (accountingservice_incomingAsync_request_duration) is involved in this error, so by conducting a more detailed analysis of the values of this metric, we can see that all values are kept near 0, while there is an outlier with a value of about 12 (figure 11).
Compared to static analysis approaches, dynamic analysis allows you to see the real picture of the entire system, all possible query paths that are used, accurately indicate the components that cause a problem in the performance of the system at particular moment, in contrast to static analysis of individual modules, which is better suited for the tasks of identifying code smells. Telemetry, in turn, allows you to combine all key indicators and add the additional context that allows you to get more information for analysis.
The practical use of a simple statistical unsupervised PCA algorithm has demonstrated the
possibility of using such a model to identify anomalies, which can greatly simplify the work of
engineers, because instead of looking on dozens of charts and responding to user messages in
support, this statistical analysis suggests the occurrence of anomalous situations in the system
automatically. When compared with the approaches of analyzing each metric of the system
separately (using appropriate statistical methods, for example, those used in NewRelic [
The paper discusses the use of telemetry for dynamic analysis of the system for anomalous events and architectural smells detection.
An analysis of the problems related to distributed systems development was carried out, which made it possible to determine the need for applications for monitoring and rapid response to problems in a large system. Studies on the use of telemetry for dynamic system analysis, which have been published in recent years, have shown the potential of this approach. The history of the system monitoring topic development and the main aspects of the latest OpenTelemetry standard were reviewed.
Later, the main data flows that are required for analysis were identified, and a model of a graph DBMS was built. The model includes the following entities: operations, resources and relationships that determine the direction of resource dependence and ownership of operations. After that, the extraction, processing and unloading telemetry using the OpenTelemetry Collector was reviewed. The main types of anomaly detection algorithms were studied and the multivariate PCA statistical method was chosen for the analysis of unlabeled telemetry data. A custom component of the collector application was developed to transform and insert information into Neo4j datastore. The necessary features to be used are defined, as well as the process of collecting appropriate the number and the duration of calls within the system to find anomalies. An algorithm for collecting metrics was described. The next part overviewed the method of using a statistical model of PCA to identify anomalies.
In the next part, aggregated graph model was used to analyze architectural smells. Several possible visualizations of the dependency graph using Neo4j, Neo4j Bloom were provided, clustering and centrality algorithms were used to visually identify problem areas in the system architecture. The results of the statistical model based on the Principal Component Analysis algorithm were also analyzed. The accuracy of this model is suficient to determine anomalous events.
The topic of telemetry usage to find bad architectural practices has potential for further
development [
If we consider other topics of telemetry usage, we cannot omit the topic of analyzing individual use cases in the application, which are sets of requests that go through a bunch of services and have variations depending on some stored state of the application, the analysis includes both the ability to evaluate performance, the number of errors of a particular use case, the ability to subscribe a certain development team to updates for a quick response in case of anomalous situations, and ability to view changes, including performance, between diferent releases. on Informatics Visualization 7 (2023) 122. doi:10.30630/joiv.7.1.1297. [27] OpenTelemetry Demo, 2023. URL: https://github.com/open-telemetry/ opentelemetry-demo. [28] Neo4j APOC Library, 2023. URL: https://neo4j.com/developer/neo4j-apoc/. [29] S. O. Semerikov, T. A. Vakaliuk, I. S. Mintii, V. A. Hamaniuk, V. N. Soloviev, O. V. Bondarenko, P. P. Nechypurenko, S. V. Shokaliuk, N. V. Moiseienko, V. R. Ruban, Development of the computer vision system based on machine learning for educational purposes, Educational Dimension 5 (2021) 8–60. doi:10.31812/educdim.4717. [30] I. A. Pilkevych, D. L. Fedorchuk, M. P. Romanchuk, O. M. Naumchak, Approach to the fake news detection using the graph neural networks, Journal of Edge Computing 2 (2023) 24–36. doi:10.55056/jec.592.