Skip to content
Runbooks

Google Cloud Metrics Investigation

Overview

Section titled “Overview”

When investigating traffic irregularities, Google Cloud Platform metrics provide valuable insights into system behavior. The “sent bytes” and “received bytes” metrics are particularly useful for recent incidents as it helps identify unusual traffic patterns.

Locating Metrics in Google Cloud

Section titled “Locating Metrics in Google Cloud”

The relevant metrics for traffic investigation are found under the compute.googleapis.com namespace in Google Cloud Monitoring. These metrics are retained for 24 months according to the data retention policy.

Key Metrics: Sent Bytes and Received Bytes

Section titled “Key Metrics: Sent Bytes and Received Bytes”

The “sent bytes” metric tracks outbound network traffic from compute instances and the “received bytes” metric tracks inbound network traffic from compute instances.They are crucial for:

  • Identifying traffic spikes
  • Detecting unusual data transfer patterns
  • Pinpointing the specific machines responsible for irregularities

Investigation Workflow

Section titled “Investigation Workflow”

Step 1: Identify Problem Machines

Section titled “Step 1: Identify Problem Machines”

  1. Navigate to Google Cloud Monitoring

  2. Select the project you want to query

  3. Query the compute.googleapis.com namespace for sent bytes metrics

    sent_bytes_metric_selection.png

  4. Set Aggregation to “Unaggregated”

    metrics_aggregation_selection.png

  5. Filter by time range to isolate the incident period

  6. Identify instances with abnormal traffic patterns

  7. Optional: further filter by clicking the + sign above the graph and add a “Min interval” to aggregate metrics by different time windows.

    img.png

Step 2: Cross-Reference with Kibana Logs

Section titled “Step 2: Cross-Reference with Kibana Logs”

Once you’ve identified the problematic machines from GCP metrics:

  1. Query Kibana logs for the specific machine IDs/names
  2. Analyze detailed logs to understand the context of the jobs
Section titled “Example cross-reference search”

  1. In GCP Metrics explorer, change the results type to “Both”

    both.png

  2. Click the line of the instance you want to search, then in the rights side panel, navigate through the list until you find the checked box.

    select_instance_metric.png

  3. Copy the instance name, beginning with runner- and ending in a 8 character hash.

    select_instance_name.png

  4. In Kibana, set the data view to pubsub-runner-inf-gprd

    pubsub-runner-inf-gprd.png

  5. Click the plus sign to the right of the Data View field, and search for the json.name field

    plus_to_add_filter.png

  6. Set the operator to is and paste the runner name into the field. Click to add the filter.

    add_filter.png

  7. Ensure the time range of the search matches the time of the metric reading for the instance.

  8. From the results, more information can be retrieved, like the project id and job id.

    kibana_results.png

Getting the project URL

Section titled “Getting the project URL”
  1. Follow the steps above for an example cross-reference search.
  2. Copy the json.job from a log result.
  3. Filter for that json.job as well as json.msg == "Added job to processing list".
  4. The result will contain a field named json.repo_url: the project associated with the job.

Important Log Retention Limitations

Section titled “Important Log Retention Limitations”

Kibana Logs

Section titled “Kibana Logs”

Accessing Older Logs

Section titled “Accessing Older Logs”

If you need logs that are:

  • Older than 30 days
  • But within 365 days

Logs are also stored in a GCS bucket for long-term storage.