There's significant debate around observability effectiveness and applying data filters to vendor streams to reduce costs. While cost management matters, I believe the community is missing the bigger picture. We should be asking: "What value does observability truly deliver? Are we using the right solution, or is something essential missing?"
The Case for Composability
There's significant debate around observability effectiveness and applying data filters to vendor streams to reduce costs. While cost management matters, I believe the community is missing the bigger picture. We should be asking: "What value does observability truly deliver? Are we using the right solution, or is something essential missing?"
The hard truth is that observability currently doesn't offer enough value. It needs to be composable, and I'll explain why.
The Million-Dollar Question
Six years ago, I found myself in a room with executives celebrating a major win - upgrading a client from a $4-6 million annual commitment to $10-12 million. I raised concerns that observability seemed like expensive insurance for production monitoring. To justify that investment, we needed to identify more use cases and deliver additional value to customers.
I embarked on what I can only call a "feature journey," searching for standout tools that would make observability truly indispensable. In retrospect, we didn't fully achieve that goal.
Don't misunderstand - observability has matured and delivers value during incidents and when engineers need to answer questions like "have we ever experienced downtime in this scenario?" or "how much did that outage impact users?" However, legacy vendor solutions face two key challenges:
Telemetry data extends beyond what any single vendor's agents emit
The most valuable telemetry data use cases require support for real-time or run-time decision-making
The Limitations Exposed
It's inevitable that we'll need more insights than a vendor can provide, and two key use cases illustrate this gap: Root Cause Analysis: For effective analysis, we need detailed dependency maps showing which database instance an app instance in a mesh is interacting with. Most traditional vendors struggle with this, while eBPF vendors are making better progress on topology mapping.
Braided Context: To link error logs to traces, we need to tag data with agent IDs before emission. Some vendors can support this, but only after modifying their products to enable this type of braiding.
The key idea is that OpenTelemetry and eBPF can address these challenges either while data remains within the detection agent on the host or during transit through the network in real time. I've seen numerous use cases go unsolved because they were deemed "too expensive" to address in the cloud after all the data had been transmitted from the customer's network, or because the necessary signals weren't captured early enough - making the answer impossible to compute.
Beyond Technical Monitoring
There are more use cases than just these two. SecOps teams need to know if vulnerable libraries are being used in production systems, exposing them to attack risks. eBPF-based solutions can detect this effectively, but why should security products recreate the entire monitoring chain just to alert SecOps engineers? And why alert SecOps at all when developers must patch the code? Furthermore, if vulnerabilities are severe enough, can SecOps block deployment to production? Usually not, because the necessary integrations don't exist.
What Composable Observability Looks Like
What is needed is a programmable platform to manage not just telemetry data but the decisions being made when observing that data.
For the SecOps example, I would leverage a "composable observability" platform to store and manage a lookup table of MITRE vulnerabilities, linking them to library data emitted by applications during startup. If my observability vendor didn't capture this data, I'd incorporate eBPF to gather the missing information and forward it to my platform. Additionally, I could capture events when vulnerabilities are loaded into production systems and route those events back to a handler component that would prevent deployments in my CI/CD pipeline until the vulnerability is resolved.
For dependency discovery in root cause analysis, I would use eBPF across every host and container in my environment to map socket endpoints. This communication map would be invaluable for managing alerts, slowdowns, or error rate spikes. By traversing the map, I could identify related signals from other components in my architecture, providing a comprehensive view for the user. This solution would need to reside in-memory, combining signals that arrive at different times from different components.
AIOps tools like Moogsoft attempt to build this map using statistical analysis of data from observability vendors. I've tried to create this same map with similar methods, but it doesn't work reliably enough to be integrated into a decision-making system that can automatically take corrective actions.
Why Composability Matters
Composable observability means harnessing the signals from telemetry data, enhancing them, and building intelligence until you can act directly from the data—without human intervention.
Why must observability be composable? Because combining different approaches is essential for meaningful results. Sometimes you need information only eBPF can capture. Other times, you need to merge multiple signals arriving at different times, requiring buffers to hold everything together. You may also need to reroute, rewrite, or manipulate data during processing.
Data filtration is just one use case. OpenTelemetry provides the foundation for enabling composability. We need to move beyond passive observation (where value depends on humans spotting issues on dashboards) into decision-making. This requires complex systems integrating buffers, ETL, data routers, and event brokers—all working together to trigger the right actions at the right time.
Watch for the next article, where I dive into the technical details of what makes composability possible.
Thoughts? Join us on slack: MyDecisive community slack
Ari
'%3e%3cpath%20d='M23.522%206.18541C23.3863%205.67482%2023.1189%205.20883%2022.7465%204.83407C22.3741%204.4593%2021.9099%204.18891%2021.4002%204.04996C19.5238%203.54541%2012.0238%203.54541%2012.0238%203.54541C12.0238%203.54541%204.5238%203.54541%202.64744%204.04996C2.13773%204.18891%201.67346%204.4593%201.30109%204.83407C0.92872%205.20883%200.661309%205.67482%200.525622%206.18541C0.0238038%208.06996%200.0238037%2012%200.0238037%2012C0.0238037%2012%200.0238038%2015.93%200.525622%2017.8145C0.661309%2018.3251%200.92872%2018.7911%201.30109%2019.1658C1.67346%2019.5406%202.13773%2019.811%202.64744%2019.95C4.5238%2020.4545%2012.0238%2020.4545%2012.0238%2020.4545C12.0238%2020.4545%2019.5238%2020.4545%2021.4002%2019.95C21.9099%2019.811%2022.3741%2019.5406%2022.7465%2019.1658C23.1189%2018.7911%2023.3863%2018.3251%2023.522%2017.8145C24.0238%2015.93%2024.0238%2012%2024.0238%2012C24.0238%2012%2024.0238%208.06996%2023.522%206.18541Z'%20fill='%23FF0302'/%3e%3cpath%20d='M9.56927%2015.5687V8.4314L15.842%2012L9.56927%2015.5687Z'%20fill='%23FEFEFE'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_15_328'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.14016%2015.118C5.14016%2016.4976%204.0252%2017.6125%202.64567%2017.6125C1.26614%2017.6125%200.151181%2016.4976%200.151181%2015.118C0.151181%2013.7385%201.26614%2012.6235%202.64567%2012.6235H5.14016V15.118ZM6.3874%2015.118C6.3874%2013.7385%207.50236%2012.6235%208.88189%2012.6235C10.2614%2012.6235%2011.3764%2013.7385%2011.3764%2015.118V21.3542C11.3764%2022.7338%2010.2614%2023.8487%208.88189%2023.8487C7.50236%2023.8487%206.3874%2022.7338%206.3874%2021.3542V15.118Z'%20fill='%23E01E5A'/%3e%3cpath%20d='M8.88189%205.10226C7.50236%205.10226%206.3874%203.9873%206.3874%202.60777C6.3874%201.22824%207.50236%200.113281%208.88189%200.113281C10.2614%200.113281%2011.3764%201.22824%2011.3764%202.60777V5.10226H8.88189ZM8.88189%206.3684C10.2614%206.3684%2011.3764%207.48336%2011.3764%208.86289C11.3764%2010.2424%2010.2614%2011.3574%208.88189%2011.3574H2.62677C1.24724%2011.3574%200.132283%2010.2424%200.132283%208.86289C0.132283%207.48336%201.24724%206.3684%202.62677%206.3684H8.88189Z'%20fill='%2336C5F0'/%3e%3cpath%20d='M18.8787%208.86289C18.8787%207.48336%2019.9937%206.3684%2021.3732%206.3684C22.7528%206.3684%2023.8677%207.48336%2023.8677%208.86289C23.8677%2010.2424%2022.7528%2011.3574%2021.3732%2011.3574H18.8787V8.86289ZM17.6315%208.86289C17.6315%2010.2424%2016.5165%2011.3574%2015.137%2011.3574C13.7575%2011.3574%2012.6425%2010.2424%2012.6425%208.86289V2.60777C12.6425%201.22824%2013.7575%200.113281%2015.137%200.113281C16.5165%200.113281%2017.6315%201.22824%2017.6315%202.60777V8.86289Z'%20fill='%232EB67D'/%3e%3cpath%20d='M15.137%2018.8598C16.5165%2018.8598%2017.6315%2019.9747%2017.6315%2021.3542C17.6315%2022.7338%2016.5165%2023.8487%2015.137%2023.8487C13.7575%2023.8487%2012.6425%2022.7338%2012.6425%2021.3542V18.8598H15.137ZM15.137%2017.6125C13.7575%2017.6125%2012.6425%2016.4976%2012.6425%2015.118C12.6425%2013.7385%2013.7575%2012.6235%2015.137%2012.6235H21.3921C22.7717%2012.6235%2023.8866%2013.7385%2023.8866%2015.118C23.8866%2016.4976%2022.7717%2017.6125%2021.3921%2017.6125H15.137Z'%20fill='%23ECB22E'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_5_13506'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)