[AdieuToLogic]

This post falls into a common trap; conflating logging with metrics.

Log interesting things, where interesting is defined as context outside what the "happy path" execution performs.

Collect and make available system metrics, such as invocation counts, processing time histograms, etc., to make available what the post uses log statements to disseminate same.

[JohnScolaro]

Thanks for taking the time to reply! I'm relatively new to working on this type of system (large scale, event driven) and half posted because I know there are people on HN way better than me at this, and was curious about their opinions.

In the end, what's the difference between a log and a metric? Is one structured, and one unstructured? Is one a giant blob of text, and the other stored in a time series db? At the moment I guess I'm "logging my metrics" with structured logs going into Loki which can then unwrap and plot things.

You and the other commenters have given me the vocabulary to dig more into this area on the internet though. Thanks!

[Daneel_]

As a person who has worked in and around logging and big data processing for 16 years now, including almost a decade working as a senior in professional services (currently a global security architect) directly for one of the largest big data companies, here is my opinion on logs vs metrics:

A log entry should capture an event in time, for example: a person logging in, a failure, a record of a notable event occurring, etc. These should be written at the time they occur when possible, to minimise chance of loss and to minimise delay for any downstream systems that might consume the logs. Arguments for batching could easily be made for systems generating very high volumes of logs.

Conversely, a metric is a single value, point-in-time capture of the size of something, measured in units or with a dimension. For example: current queue depth, number of records processed per second, data transfer rate in MB/s, cpu consumption percentage, etc. These can/should be written periodically, as mentioned in TFA.

[AdieuToLogic]

> In the end, what's the difference between a log and a metric?

Essentially, a log entry is the emission of state known by an individual code execution path at the point the log entry can be produced, whereas a metric is a measurement of a specific runtime execution performed by the system.

For example, a log entry of:

  module_logger.info(
    f"Processed {num_events_processed_since_last_log} events."
    )

Emits a log entry capturing the processing state known when the statement is evaluated. What it does not do is separate this information (a time-based attribute in this case) from other log entries, such as "malformed event detected" or "database connection failed."

More importantly, putting metrics into log entries forces timing to include log I/O, requires metrics analysis systems to parse all log entries, and limits the type of metrics which can be reported to be those expressible in a message text field.

Maybe most important of all, however, is that metrics collection and reporting is orthogonal to logging. So in the example above, if the log level were set to "error", then there would be no log-based metric emitted.

[danpalmer]

This is a reasonable first pass answer, but there's more nuance to this...

> What it does not do is separate this information

Logging at scale should really be structured, which means that you can trivially differentiate between different types of log message. You also get more dimensions all represented in that structure.

> limits the type of metrics which can be reported to be those expressible in a message text field

This is another example, logging shouldn't be text based ideally. You might have a summary human readable field, but metrics can easily be attributes on the log message.

The more I work in this area the more I'm realising that logs and metrics are pretty interchangeable. There are trade-offs for each absolutely, but you can convert logs into metrics easily (Datadog does this), and with a bit more effort you could turn a metric into logs if you wanted to (querying metrics as rows in a SQL database is handy!).

Metrics collection is also not necessarily orthogonal to logging, it depends on your system. From a server, you might have logs pushed to an external source and metrics pulled from the server by Prometheus, but that's just implementation details. You can also have logs pulled from log files, and metrics pushed to a statsd endpoint.

I've worked on mobile apps where metrics get aggregated locally and then pushed as log events to the server with one log event per metric and dimension set, only for the server to then typically turn them back into metrics.

It's good to understand the tradeoffs, the technology, whether you're using push or pull, where data is spooled or aggregated, data costs, etc. But this stuff is all pretty malleable and there's often no clearly right answer.

[lillecarl]

I think what you're saying is that you can make a logging system LARP metrics. At the end it's logging on fd 1 and 2 and metrics are usually over http, but ofc you can dump "metrics" into stout, it's not as practical with what tools are built for what.

In my local fun projects that run on my machine I might dump metrics into the logs because it's practical, but it doesn't make it "right".

[danpalmer]

I log over RPC and send metrics over RPC, thinking about logs being to a file descriptor and metrics being over HTTP is focusing too much on a particular implementation and not enough on the concepts.

Also it's not about logs role playing as metrics, I'm saying you can literally turn one into the other, in both cases, and there are valid use cases for that.

[jabjq]

You shouldn’t use f-strings with logging.

[kstrauser]

I know and understand the reasons for that rule, but it’s one of the first ones I disable in linters. The theoretical benefits in the context of the systems I work on aren’t worth the extra friction.

[vorgol]

> I'm relatively new to working on this type of system.

> In the end, what's the difference between a log and a metric?

Don't let me put you down, but writing a logging advisory blog post when you don't know the difference between a log and a metric seems like a peculiar thing to do.

But I'm not shaming lack of knowledge, we all had to learn somehow.

[martin-t]

IMO the reasonable compromise if write the post but make your experience level clear and make it clear you're effectively asking for advice.

Very few people do that though.

[btown]

The question is whether you want to do your aggregation by unit time at the application level, or at an observability layer. You're absolutely right that the end user of metrics wants to see things grouped by time - but what if they want to filter down to "events where attribute X had value Y, in 10 second increments" but you had decided to group your metrics by 15 second increments without regard to attribute X?

Various companies, both in-house for big tech and then making this more widely accessible, started to answer this question by saying "pump all your individual logs in structured form into a giant columnar database that can handle nearly arbitrary numbers of columns, and we'll handle letting you slice and dice metrics out of any combination of columns you want. And if you have an ID follow the session around between different microservices, and maybe even all the way to the browser session, you can track the entire distributed system."

Different people might say that Datadog, Honeycomb, or Clickhouse (and the various startups backed by Clickhouse as a database) were the ones to make this pattern mainstream, and all of them pushed the boundaries in one way or another - nowadays, there's a whole https://opentelemetry.io/ standard, and if you emit according to that, you can plug in various sinks made by various startups, and choose the metrics UX that makes the most sense for your use case.

I'm a huge fan of Honeycomb - when I know a certain issue is happening, I can immediately see a chart showing latencies and frequencies, and click any hot spot to filter out the individual traces that exhibit the behavior and trace the end-to-end user journey, with all the different logs from all the systems touched by that request. And I can even begin this discovery from a single bug report by a single user whose ID I know. It's not just metrics - it's operational support. And if I'd pre-aggregated logs, I'd have none of this.

But of course, there are systems where this doesn't make sense! Large batch jobs, high-performance systems with orders of magnitudes more events than a standard web application... it's not one size fits all. That said, I think knowing about modern observability should be part of every developer's toolkit.

[ants_everywhere]

I love how open and non-defensive this comment is :)

There are a few ways to slice this, but one is that logs are human-readable print statements and are often per-task. E.g. if you have 100 machines, you don't want to co-mingle their logs because that will make it harder to debug a failure. Metrics are statistics and are often aggregated across tasks. But there are also per-task metrics like cpu usage, io usage etc.

They can both be structured to some extent. Often storage strategies might differ but not necessarily. I think at Google the evolution of structured logging was probably something like (1) printf some stuff, (2) build tooling to scrape and combine the logs, (3) we're good at searching, but searching would be easier if we just logged some protos.

I think logs are basically self-explanatory since everything logs. To understand why you would want separate metrics, consider computing the average cpu utilization for your app across a fleet of machines. You don't want to do that by printf the CPU usage, grep-ing all the logs, etc. You could try to do that with structured logs, and I'm sure some structured logs SaSS companies would advocate that.

If you're new to this space, I really liked the book Designing Data-Intensive Applications.

There's also tracing

[pnt12]

A quick summary that does it for me: a log is something you read, a metric is something you measure.

Usecases:

Log: search, get context, read

Metric: measure, plot dashboards, define alerts

My theory for the concepts being so mixed up together: you use both to troubleshoot, and I think the old school way to emit metrics was to parse logs and turn that into measures.

[omalled]

You might want to check out this very nice article on reservoir sampling, which discusses its application to logging: https://samwho.dev/reservoir-sampling/

[nixpulvis]

I'm not sure I want to weigh in on "log" vs "metric"... but I did want to add some thoughts on logs in general.

If you need to "log" something to give users feedback as the system is running, it may be less of a log and more of a progress or status output.

Logs to me are things which happen and I want to be able to trace later, so summarizing or otherwise dropping logs that come in quickly in succession would be a problem. If I need to filter I pipe to grep, otherwise I can just save it all and read through it later.

Status messaging, which may be informative about your process is useful, and if its goal is to be observed real-time, then yea. A message or two a second seems like a good goal for consistency.

These are just two very different use cases to me. And generally I find the former critical to get right, while the later may be nice to have and may lead to discovery by nature of making it more accessible.

[lelanthran]

> In the end, what's the difference between a log and a metric?

The goals. The goals of the activity is the difference.

The goal of logging is diagnostics and trouble-shooting (when did this break, how often do we see this type of failure, etc).

The goal of metrics is to aid in capacity planning (are we close to running out of RAM, do we exceed 80% CPU too often, etc).

> You and the other commenters have given me the vocabulary to dig more into this area on the internet though.

Read this first; it is a short read (taxonomy of logging, basically): https://www.lelanthran.com/chap10/content.html

[_kb]

The breakdown used by OTel isn’t all that bad: https://opentelemetry.io/docs/concepts/signals/

In essence:

Logs mark some event in the system.

Metrics model some measurable, quantifiable state.

In high volume systems both can then be observed through various sampling techniques. A key item is that sampling is good to handle separately to application logic creating those signals as it may change over time or be dynamic.

[incorrecthorse]

I think the common confusion boils down to:

> The moment of capturing a measurement is known as a metric event

Which suspiciously reads like a log.

In practice, a metric is an aggregate of events (the "metric events") when you're not interested in the individual event but, but in the aggregate itself. For practical reasons this is not implemented with logs but with more primitive technical events emission.

This is not fundamentally incompatible notions. If you do an electrocardiogram, you might be interested in your BPM, but it is deduced by the full log of each beat. The segregation we do in computing is more practical than fundamental.

[_kb]

Completely agree on the confusing terminology there. IMO that should be:

> The moment of capturing a measurement is known as a metric sample.

The mental model I hold is the metric is the actual value. This may be discrete (e.g. a packet counter) or some continuous value (e.g. a voltage in you ECG example). It can then be observed at some time/value delta interval or summarised into other time series based on what you're hoping to capture.

[vasco]

Read the SRE book, maybe some of the highlight posts only. It will give you the right jargon and a lot of wisdom that you can then simplify for your use cases.

[delusional]

> This post falls into a common trap; conflating logging with metrics.

This isn't as much "conflating" as it is constructing an ad hoc metrics subsystem that exports the metrics to the logs.

There's no theoretical difference between exposing a prometheus endpoint that's scraped every x seconds and printing the same data to the logs every x seconds.

[aflag]

I thought the post was nice. I've written scripts before where I'd just print by count and be overwhelmed. I should've just used time instead of changing the count number

[Too]

One exception to this is batch scripts and other cli tools with a clear start and end, like an installer, rsync, curl, dd, etc. Setting up metrics here is way overkill and the user may still be interested in the progress. Easiest made available through logs. Curses UI could be a nice middle ground but also very often overkill.

[jonhohle]

I enjoyed our metrics systems at Amazon’s and wrote one with a similar API at Okta and should really look at writing another one to open source.

One of the huge missing things in metrics systems, imho, is keeping granular metrics in the context of a business operation and then using late aggregation for trends. Last I looked nearly every metrics systems either logged individual events and and required processing for any rollup or aggregated too early and you couldn’t determine the effect on any individual operation/request. There’s a happy medium where you can get per-request counts, stats, and timing and still roll those up at the host/data center/region/granularity to get higher level trends.

Most metrics APIs are incompatible with this idea, however.

[Baarsgaard]

You're likely talking about "wide events" Which is essentially as many dimensions as possible attached to an event. I believe Meta was the one to develop an internal tool for handling this named Scuba.

[kixelated]

Absolutely.

Logs should be bursty, because they're most useful when debugging rare issues. If you have identical log lines, then that should have been a metric instead.

Metrics should be sampled based on frequency, because they deduplicate. I'm a huge fan of logarithmically sampling metrics.

[bravesoul2]

Metrics are way quicker to query due to aggregations and tend to be more stable as features change.

It's good to save metrics for things that remain true under arbitrary aggregations. E.g. sum, count, maximum and avoid things that do not survive aggregations such as percentiles.

[ejs]

I built a system for collecting metrics via logs and has worked well for my apps when I don't want to set up a whole separate system for it.

[jillesvangurp]

Filter and aggregate after you log your metrics, traces, log messages, etc.; not before.

You can worry about data retention, rollups, and other strategies for limiting data storage separately from the systems that emit the data.

At least with the right data stores. I kind of like what opensearch and elasticsearch do for this. In Elasticsearch you have a data stream. You configure it to roll over based on time or data size. Once rolled over, indices are read only; new data appends to the current one. You then can define life cycle policies to decide what to do with the old ones and e.g. move them to cold storage, transform them with rollups, and eventually delete them.

With application logging, you typically assign different log levels. Trace and debug are typically disabled in production (or should be). Info can be quite noisy. Warn tends to be repetitive (because developers tend to ignore warnings and will never fix them). Errors should be rare.

I have my system configured to start emailing me if errors get logged. An error means something is broken and needs to be fixed. Zero tolerance on errors. When an error happens, all the other log information provides me context. So there's value in retaining that. But only for a few days at best. Long enough to survive a weekend or things like Christmas. But after that it's just noise. I have a hard cut at about two weeks. Some places you need to store stuff longer for ass coverage reasons.

Data retention comes at a price of course. I've seen companies log ginormous amounts of data and ignoring all their errors. 30GB per day. Absolutely appalling. Me: it looks like your database layer is erroring non stop (constraint violations and worse); you might want to do something about that. Them, ah no that's just normal we just ignore it (php shop, incompetence was the norm). Me: so how do you know when something breaks?! Them: ......?!

My well paid consulting gig was beating some sense into this operation as one of the managers noticed they were spending hundreds of thousands per year on this nonsense. My fee was a rounding error on that. Easiest job ever. But kind of cringe worthy once I started looking into what they were actually doing and why. Mostly it's just, "yeah some guy set that up once and then we never looked at it and he left. What are you going to do?!". There was a lot of that with this company. Just absolutely nobody that even cared about the waste of resources or getting any meaningful feedback from their logging. If that's your team, you need to do something about it. That's your job and your not doing it well. If you need an external consultant to tell you, you might want to reflect on the notion of majorly shaking things up a bit.