Combining traces, logs & metrics for faster triage
For modern DevOps engineers and SREs, combining traces, logs & metrics for faster triage is the difference between a 5‑minute incident and a 5‑hour war room. Metrics tell you that something is wrong, traces show you where ,…
Combining traces, logs & metrics for faster triage
For modern DevOps engineers and SREs, combining traces, logs & metrics for faster triage is the difference between a 5‑minute incident and a 5‑hour war room. Metrics tell you that something is wrong, traces show you where, and logs explain why[4]. To cut MTTR, you need to move across all three signals in seconds, not minutes.
This post walks through practical patterns, example queries and code, and architecture tips so you can turn these three pillars into a single, fast triage workflow[2][4].
Why combining traces, logs & metrics for faster triage matters
Traditional setups split signals across different tools: one for metrics, one for logs, one for traces[1]. That forces engineers to manually line up timestamps, hosts, and request IDs during an incident, which slows everything down and leads to misdiagnosis[1][2].
When you combine traces, logs & metrics for faster triage in a shared observability platform, you get:
- Single investigation path: from an alerting metric → directly into a trace → down into the exact logs for that request[1][4].
- Richer context: metrics reveal trends, traces show request paths, logs give precise error details[2][3][4].
- Lower MTTR: on‑call can move from symptom to root cause and fix in a tight loop[1][4].
Core pattern: metrics → traces → logs
The most repeatable triage pattern for SREs and DevOps teams is:
- Metrics fire an alert that something is off (latency, error rate, saturation).
- Link that alert to the slowest or most error‑prone traces.
- Jump from a given trace to logs for that same request/span using shared IDs[4].
In a checkout example, error‑rate metrics trigger an alert, traces show the payment service as the bottleneck, and logs reveal repeated gateway timeouts and payload details, allowing a quick fix[4].
What each signal does in the triage chain
- Metrics: high‑level KPIs and SLOs (p95 latency, error rate, throughput) detect and quantify the problem[3][4].
- Traces: show which service, span, or dependency is slow or failing across microservices[3][6].
- Logs: hold the stack traces, parameters, feature flags, and configuration context that explain the failure[4][6].
Example workflow: node latency regression in production
Scenario
You run a microservices architecture with Prometheus for metrics, Grafana for dashboards, Loki or Elasticsearch for logs, and Tempo/Jaeger for traces[4][7]. A new deployment just shipped.
Step 1: Start from metrics
A Prometheus alert fires: api_gateway_p95_latency > 500ms for 5m. In Grafana, you view:
histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{
service="api-gateway"
}[5m])) by (le))
You see that the p95 latency spike started immediately after the last deploy.
Step 2: Jump into traces from the dashboard
From the latency panel, you click into the “Explore traces” link with the same service="api-gateway" and time range. In Tempo/Jaeger, you filter slow requests:
service = "api-gateway" AND duration > 1s
In a representative trace, you see the following span breakdown:
api-gateway: 20msuser-service: 30mscart-service: 40mspricing-service: 900ms ← clear bottleneck
Now you know where the problem is: the pricing-service span in the trace is dominating total latency[3][4].
Step 3: From trace to logs using IDs
The trace viewer shows a trace_id and span_id. Because all services propagate these IDs into their logs, you can pivot:
{service="pricing-service", trace_id="7af...c12"}
In Loki or Elasticsearch, you instantly see logs for that slow request. The log lines show a repeated warning:
WARN Timeout calling discount-engine
field=experiment_a enabled=true
timeout_ms=800
Now you have the why: a new call to discount-engine introduced an 800ms timeout inside pricing-service. The trace tells you what span is slow, and the log tells you which dependency and configuration caused it[4].
Step 4: Fix, then validate with all three signals
- Lower the timeout and add a circuit‑breaker or cache.
- Redeploy.
- Watch the latency metric return to baseline, confirm traces now show a ~60ms pricing span, and check logs for successful calls without timeouts[4].
This tightly integrated loop is exactly how combining traces, logs & metrics for faster triage shrinks incident timelines.
Instrumentation: getting the right IDs everywhere
The key to combining traces, logs & metrics for faster triage is consistent correlation metadata across all telemetry[1][6][9]. Without it, you are back to guessing by timestamps.
Propagate trace IDs into logs
Most modern tracing libraries (OpenTelemetry, OpenTracing‑based APMs) maintain a context that includes trace_id and span_id[6][7]. You should inject these into every log line.
Example in Go with OpenTelemetry and a structured logger:
logger := log.With().Str("service", "pricing-service").Logger()
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
span := trace.SpanFromContext(ctx)
sc := span.SpanContext()
log := logger.With().
Str("trace_id", sc.TraceID().String()).
Str("span_id", sc.SpanID().String()).
Logger()
log.Info().Msg("processing pricing request")
// ...
}
Now searching logs by trace_id in your log backend lines up with trace views in your APM/Tempo/Jaeger.
Tag metrics with the same dimensions
Similarly, metrics should be tagged/labelled with fields that match your traces and logs: service, env, version, and sometimes region or tenant[1][5]. This allows dashboards and alerts to drill down along the same dimensions across all three signals.
For Prometheus in Go:
var httpDuration = prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Name: "http_request_duration_seconds",
Help: "Request duration",
},
[]string{"service", "route", "status"},
)
func handler(w http.ResponseWriter, r *http.Request) {
start := time.Now()
// handle request...
duration := time.Since(start).Seconds()
httpDuration.WithLabelValues("pricing-service", "/price", "200").Observe(duration)
}
Dashboards that use these labels can be linked directly to traces filtered by service="pricing-service" and route="/price"[4][7].