The Architect

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

Appearance

Chapter 15: The Cardinality Blindness That Pierced the All-Seeing Eye

Spring 2013. Redmond, GenesisSoft Building 113, the War Room that had witnessed countless system crashes.

As the business skyrocketed globally, Hello World had been split into over three hundred microservices. Tens of thousands of servers interacted frantically across transatlantic networks between North America and Europe. In this incredibly complex Directed Acyclic Graph (DAG) with no central node, the only thing that allowed Simon Li and the engineers to see the full picture of the system was a distributed time-series monitoring system they had spent heavily to develop in-house, named "Aegis".

"Aegis" was like an all-seeing sky eye with billions of eyes, staring relentlessly at all the servers.

"Look, Simon." Dave, the Director of Operations, pointed proudly at a giant four-dimensional data screen that occupied an entire wall.

On the screen, countless curves traced the health of thousands of microservices in real time. "Aegis pulls global monitoring metrics every 10 seconds. We can slice the data anytime through multi-dimensional tags! This is way better than old-school log analysis."

If Simon Li wanted to know "the number of HTTP 500 errors in the past hour for the checkout API deployed in the NYC data center with version 14.2", he only needed to assemble these tags in the console (status=500, region=nyc, version=14.2, api=/checkout), and the underlying Time-Series Database (TSDB) would pull up a perfect curve in less than a second.

This infinitely dimensional tagging mechanism turned troubleshooting microservice failures into an incredibly elegant dimensionality reduction strike.

Simon Li took a sip of black coffee and nodded with satisfaction. "With this slicing capability, we no longer have to blindly grep keywords in oceans of logs. The system is completely transparent."

But in this carnival fueled by data metrics, a system-level "cancer"—far more hidden and deadly than the "database deadlocks" of the past—was quietly developing at the foundation of their proud monitoring eye.

The catalyst for the disaster was a seemingly ordinary Growth Hacker request.

To track personalized user conversion rates, the marketing department requested a new, extremely tiny monitoring probe to be added to the frontend redirection gateway.

"Marketing wants to know exactly which user's shared link brings in the most registrations," the big data engineer proposed during a meeting. "It's simple. When the gateway sends the Request TPS to Aegis, we just add one more tag: user_id."

"That way, we can see the traffic curve for metric="http_request", status=200, user_id="10001" on the big screen! Perfect slicing!"

In the technical blind spot of that era, no one thought adding an extra tag was a big deal. After all, a Time-Series Database (TSDB) was famous for its exceptionally high write throughput, and since it only stored numbers, it was assumed it could handle anything.

When this line of monitoring code carrying the user_id tag was pushed to the production environment, Simon Li wasn't paying attention. He was dealing with another under-the-hood database refactoring.

Fifteen minutes after the code went live. 11:45 PM.

"WEE-WOO-WEE-WOO!"

The War Room erupted in a piercing air-raid siren, more urgent than ever before. It wasn't an application service going down; instead, the giant monitoring screen occupying the entire wall suddenly began to violently flicker and glitch!

"Simon! The Eye is blind!" Dave's terrified scream tore through the night.

Simon Li rushed into the War Room, stunned by the sight. The massive screen that used to draw global real-time conditions in a second now had all its curves frozen fifteen minutes in the past. All dashboards had turned into a gray N/A (Data Not Available).

"The Aegis system is down?! Isn't it backed by a cluster of hundreds of machines?" Simon Li typed furiously on his keyboard. "We've completely lost sight of those three hundred microservices! If we're being hacked, we wouldn't even be able to see it!"

"We're not being attacked! The business services are alive and well, CPUs are relatively idle!" Dave, sweating profusely, pulled up the status of the TSDB servers underlying Aegis. "But... but Aegis's database, its memory is completely blown out! It's OOMing (Out of Memory) like crazy!"

Simon Li's heart sank. His Synesthesia vision instantly activated.

In Simon Li's mind, an incredibly terrifying and dizzying high-dimensional disaster unfolded.

This was not a traffic spike. The raw volume of data (simple numerical writes) received by the Aegis backend wasn't even higher than usual. But within the core engine of the time-series database, a multi-dimensional spatial expansion more terrifying than the Big Bang was occurring.

In the design of a time-series database (such as the later Prometheus), a unique Time Series is formed collectively by a Metric Name and all its accompanying Key-Value Tags, functioning as an Inverted Index.

Before the disaster hit: If there were only region=nyc and region=la, plus status=200 and status=500, the combined possibilities (the Cardinality) were extremely controllable: 2 x 2 = 4 time series. The TSDB only needed to maintain pointers to 4 extremely lightweight data structures in memory—an effortless task.

But fifteen minutes ago, the tag that was forcibly stuffed in to satisfy marketing's request was an exceptionally wild variable: user_id.

At GenesisSoft, how large was the active user_id base? Three hundred million!

When these 300 million unique user IDs were combined as a tag... In Simon Li's synesthetic vision, the highway that originally had 4 distinct lanes suddenly, with a deafening "BOOM," cracked like aggressive cancer cells, violently splintering into 300 million parallel highways!

Every passing second, as different users sent requests, the database was forced to create a brand new, isolated memory data structure (Chunk/Series Object) for this user inside its in-memory inverted index tree.

This is a High Cardinality Explosion!

"This is insane! Completely insane! Who the fuck allowed product devs to add a user_id monitoring tag to HTTP requests?!" Simon Li roared, staring at the memory utilization curves on the screen that vaulted straight past the 128GB single-machine limit.

"It was a marketing requirement!" Dave shouted back over the blaring sirens. "It's just an extra string being passed, why would it crash hundreds of machines' memory?!"

"Because this isn't an ordinary string! It's a multiplier of 300 million combinations!"

Simon Li's eyes flashed with extreme fury at the abuse of architectural characteristics. "A time-series database is meant for tracking macro dimensions (like data centers, error codes), it is a weapon of Aggregation! You actually tried to stuff microscopic, row-level details of every single user into its indexes as a dimension!"

"You idiots literally spawned an n-dimensional hypercube with a billion-scale cardinality right in our RAM!"

This was the most horrific way for a monitoring system to die. Under the crushing weight of 300 million time lines, the dozens of TSDB servers at the base of Aegis exhausted all their indexing capabilities trying to maintain that tiny write slot for every possible user. Furthermore, during the periodic disk compactions (GC) triggered by tag churn, the CPU and memory were completely drained, leading to a hard crash.

The monitoring system collapsed. It became a blind-flying empire. Meanwhile, the actual business servers of the empire were still running normally.

If a physical server room lost power right now, a blind-flying Simon Li would know absolutely nothing about it.

"Cut it off! Immediately choke all data scraping routes destined for the Aegis system at the gateway level!" Simon Li made the decisive but helpless call.

He had to sever the source of the poison before he could go in and flush the contaminated memory pools.

"Then we won't be able to see anything at all!" Silas Horn swallowed nervously.

"Better blind than watching alarms ring constantly and making a wrong move out of sheer panic!" Simon Li hit the block button with zero hesitation.

The entire floor plunged into a desperate "black box moment."

For the next three hours, the GenesisSoft SRE team walked through a minefield with their eyes closed. They emergency-restarted the Aegis TSDB cluster, and violently slapped a regex Drop Rule on the receiving end: any data packet daring to carry high-entropy tags like user_id or session_id was to be discarded wholesale in memory!

When the blind flight ended. By the time the giant monitoring screen covering the wall lit up again, it was 3:00 AM.

The smooth, aggregated macro curves reappeared.

"We survived..." Dave slumped exhausted over his desk. "But that requirement marketing wanted—the one tracking specific user click-through rates—is completely dead."

"Go tell marketing that if they want to run analytics on microscopic user behavioral traits, they need to go use the big data batch processing system (Hadoop/Spark), or dump it into a columnar data warehouse capable of massive full-table scans (OLAP/ClickHouse). Tell them to look at their reports tomorrow morning!"

Simon Li turned around and wrote four words on the whiteboard with a thick red marker in thick, bloody letters: Control Cardinality.

He stared at the host of microservices that had just barely survived a digital cancer outbreak.

From this moment on, the "cardinality limit of monitoring systems" became one of the highest taboos in the entire distributed cloud-native architecture. Any developer who dared to expose uncontrollable variables (like full URL paths, UUIDs) into Prometheus would face the most severe execution by the architects before their code could ever be merged.

Because Simon Li knew better than anyone. The ocean of microservices had already become unfathomably deep. In this swamp where even the Eye of God could be blinded at any moment, human engineers trying to manage massive topologies with their limited brains were on the verge of total defeat.

The next disaster... Would not be hardware. Would not be retries. Would not be monitoring. It would be the terrifying projection of the Organization’s own twisted nature onto the architecture—

A massive, bloated "Monster Middle-Platform", integrating everyone's greed and laziness. The filthiest Big Ball of Mud in the system, preparing to fully detonate in Chapter 16.

Architecture Decision Record (ADR) & Post-Mortem

Document ID: PM-2013-04-12 Severity Level: SEV-2 (Global monitoring system down, SRE operated in blind-flight for 3 hours, core business uninterrupted) Lead: Simon Li (Principal Engineer)

1. What Happened? (Incident) To satisfy marketing's need for real-time observation of micro-level data, the product team added a new Tag named user_id to the global basic request monitoring scrape. Although this deployment did not directly impact the business microservices, within 15 minutes, it caused the underlying "Aegis" Time-Series Database (TSDB) to suffer a massive cluster-wide crash due to Out of Memory (OOM) errors. This plunged the company's entire global visualization monitoring system into total darkness.

2. Root Cause Analysis (5 Whys)

  • Why 1: Why did the monitoring system die from an OOM? Because the underlying TSDB consumed a horrific amount of RAM resources while maintaining its indexes.
  • Why 2: Why doesn't it overflow normally, but did with the new code? Because user_id is an unbounded variable with 300 million hash values (active users).
  • Why 3: Why is an unbounded variable so deadly? Time-series databases rely on Time Series for data storage. Every unique time series consists of (Metric Name + all variant Tag combinations). Forcibly injecting a hash key on a 300-million scale immediately triggered a High Cardinality Explosion.
  • Why 4: What physical action did the cardinality explosion trigger? To support millions to tens of millions of unique time series, the TSDB was forced to maintain enormous inverted index nodes in memory. Upon receiving writes and performing disk compactions (GC), the ultra-high-entropy metadata operations caused a physical avalanche of CPU and RAM usage.
  • Why 5: Why was this requirement unreasonable? A severe architectural misalignment occurred: a system strictly designed for macro-trend aggregation observability (Metrics) was mistakenly treated as an online analytical tracking (Logs/Events/OLAP) system meant for granular distinct points.

3. Action Items & Architecture Decision (ADR)

  • Immediate Mitigation (Workaround): Proactively tripped the upstream reporting network at the gateway level. Cleared the crashed TSDB RAM and restarted the cluster; pushed an emergency Relabel rule to forcefully drop any incoming payloads containing user_id.
  • Long-term Fix (Architecture Refactoring):
    • ADR-015: Enact the Company-wide "Distributed Observability Cardinality Iron Law"
    • Hard Ban: It is absolutely forbidden to inject any unbounded, discrete dynamic variable as a Label (e.g., user_id, email, session_uuid, full_raw_url) into any Metrics probe (like Prometheus Counter/Gauge).
    • Boundary Convergence: The values of tags MUST be extremely limited and enumerable (e.g., HTTP methods only have GET/POST; status codes are limited to a dozen like 200/500/404).
    • Heterogeneous Observability Layering: If fine-grained Tracing logs are truly needed to locate a specific person, one must adopt and only emit events toward an independent distributed logging system (ELK Stack) or distributed tracing system (Jaeger/Zipkin) meant to weather massive detail data, never polluting the core Metrics dashboards built for alerting and saving lives.

4. Blast Radius & Trade-offs Although this blind-flight only killed the monitoring side and did not compromise the main payment engine, the vulnerability of the system during those three unseen hours bordered on "playing dice with God." This incident served as a monumental wake-up call for subsequent cloud-native engineers: in highly decoupled systems, a monitoring system is not an infinite black hole capable of absorbing all types of information density. One must self-amputate fine-grained data via the architectural red line of "Finite Cardinality" to ensure the monitoring dashboards remain unyielding in the face of extreme traffic assaults.

Architect's Note: Bridging Past and Present System Design

1. Puncturing the Arteries of TSDBs: The High Cardinality Problem In the eyes of junior engineers who haven't operated massive-scale monitoring systems, "just saving one more field" doesn't seem like a big deal. But if this happens against a Time-Series Database (e.g., modern industry-standard Prometheus, or InfluxDB), an unmitigated disaster follows. Metrics are the engines that "aggregate oceans of requests into statistical charts"; their value is in "telling the country what Single's Day's QPS is within 1 second." Therefore, the underlying inverted dicts are built on combinations. If a junior dev adds a label called path to http_requests_total, and that path includes a user's unique query parameter (like api/v1/user/1024/info), it forcefully spawns hundreds of millions of unique Time Series in RAM for that high traffic (Extreme High Cardinality). A healthy system should simply aggregate an endpoint like api/v1/user/{id}/info into one single series. This is exactly why in any upper-level SRE interview today, questions on "how to prevent and troubleshoot Prometheus memory blizzards" are mandatory territory—the root of all evil is almost always a developer quietly slipping in a cursed UUID tag.

2. The Three Pillars of Modern Cloud-Native Observability Following this blind-flight, Simon Li effectively drew an impassable moat around system monitoring needs—which directly maps to the core observability theories underpinning modern Kubernetes and modern system design today: The Three Pillars of Observability:

  • Metrics: High-frequency, aggregated macro data, with strict limits on tag counts. Used to instantly "trigger alarms and show broad-stroke curves" when something goes wrong. Cannot store detailed micro-individuals. (The mission of Prometheus).
  • Logs: Contains extremely detailed stack traces for a single user or a specific error. Massive volume, incredibly slow to search, but serves to "provide the murder weapon for visual inspection" after an alarm fires. (The mission of ELK / Loki).
  • Tracing: Bundles an entire chain of requests across 50 blindly interconnected microservices into a unified trace, plotting a Gantt-chart-like waterfall. Used to "figure out exactly which network line the request died on." (The mission of OpenTelemetry / SkyWalking). Any architectural delusion of using one of these trump cards to mutate and store the data of another pillar will be swiftly consumed by the immense physical cardinality baseline of distributed systems.