DEV Community: RAKESH THERANI The latest articles on DEV Community by RAKESH THERANI (@rakeshtherani). https://dev.to/rakeshtherani https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3915069%2F2cc58337-0e5c-494d-a95f-b451731b28b0.png DEV Community: RAKESH THERANI https://dev.to/rakeshtherani en Replacing Elasticsearch with ClickHouse : A 90% Cost-Reduction Migration RAKESH THERANI Wed, 06 May 2026 04:20:01 +0000 https://dev.to/rakeshtherani/replacing-elasticsearch-with-clickhouse-for-otel-logs-traces-metrics-a-90-cost-reduction-28c https://dev.to/rakeshtherani/replacing-elasticsearch-with-clickhouse-for-otel-logs-traces-metrics-a-90-cost-reduction-28c <p><em>A practical guide based on shipping this for a crypto-derivatives platform — annual observability bill went from high six figures to ~$50K, with faster queries and AI-powered log search as a bonus.</em></p> <h2> Why I'm writing this </h2> <p>If you're paying mid-six figures for Elasticsearch and ~90% of your queries are aggregations (error counts, latency percentiles, service health), you're paying full price for a feature you barely use — full-text search.</p> <p>This post walks through how a crypto exchange replaced Elasticsearch with ClickHouse for OpenTelemetry logs, traces, and metrics. Same OTEL instrumentation, just a different backend. Result: 5× smaller storage footprint, 2-6× faster queries on benchmarks, and natural-language log queries via an AI agent — at ~10% of the cost.</p> <p>If you have an existing Elasticsearch + Kibana observability stack and you've been wondering whether ClickHouse is a serious alternative, this is the deep-dive. Includes the schema, the migration plan, the OTEL Collector configuration, the cost numbers, and the gotchas.</p> <blockquote> <p><strong>Note on numbers</strong>: The cost figures below ($400K Elasticsearch → ~$50K ClickHouse) are real annual numbers from this deployment, on log volumes typical of a high-traffic trading platform (low-tens of TB ingested per year, 90-day hot retention, multi-region). Your mileage will vary substantially with log volume, retention, and cluster size. The architectural patterns are universal.</p> </blockquote> <h2> Table of Contents </h2> <ol> <li>Executive Summary</li> <li>The Problem — Elasticsearch at $400K/Year</li> <li>Why ClickHouse for Observability</li> <li>Platform Architecture</li> <li> OpenTelemetry — The Standard We Keep 5b. Collection Agent Options — OTEL vs Fluent Bit vs Vector </li> <li>ClickHouse Schema — Logs, Traces, Metrics</li> <li>End-to-End Distributed Tracing — HTTP to ClickHouse</li> <li>Full-Text Log Search — Replacing Kibana Discover</li> <li>Visualization — Grafana Replaces Kibana</li> <li>Data Retention &amp; Tiered Storage</li> <li>AI Layer — Natural Language Over Logs and Traces</li> <li>Migration Plan — Zero Downtime Cutover (Standard OTEL or BindPlane)</li> <li>Cost Analysis</li> <li>Risk Assessment</li> <li>Success Metrics</li> <li>Reference Links</li> </ol> <h2> 1. Executive Summary </h2> <h3> Objective </h3> <p>Replace the current Elasticsearch-based observability stack (application logs + OTEL traces + metrics) with ClickHouse — reducing annual infrastructure cost from $400K to ~$35-60K while gaining faster aggregations, better compression, unified storage with business data, and AI-powered log querying.</p> <h3> The Problem Today </h3> <ul> <li>Paying $400K/year for Elasticsearch managed service</li> <li>Elasticsearch is optimized for full-text search — most log queries are aggregations (error counts, latency percentiles, service health) where ClickHouse is <strong>2-6x faster on cold queries, 1.7-2.6x on hot queries</strong> (ClickHouse/TextBench benchmark, OTEL logs at 1B–50B rows)</li> <li>Logs, traces, metrics, and business data live in separate systems — no cross-correlation</li> <li>Storage costs are high: same OTEL dataset takes <strong>5x more space in Elasticsearch</strong> (49 GB vs 245 GB at 1B rows; 2.4 TB vs 12 TB at 50B rows)</li> <li>Kibana is the only query interface — no programmatic access, no AI layer</li> </ul> <h3> The Solution </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Keep OpenTelemetry (OTEL) as the instrumentation standard — zero application changes. Change only the destination: swap Elasticsearch exporter → ClickHouse exporter in OTEL Collector. All logs, traces, and metrics land in ClickHouse. Grafana reads ClickHouse for dashboards and alerts. AI agent queries logs/traces in plain English via the same LibreChat + MCP platform. </code></pre> </div> <h3> Expected Outcomes </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Target</th> </tr> </thead> <tbody> <tr> <td>Annual cost reduction</td> <td>$340-365K saved (~85-90% reduction)</td> </tr> <tr> <td>Storage reduction</td> <td> <strong>5x smaller</strong> total footprint (16x on column files) — real benchmark at 1B–50B OTEL rows</td> </tr> <tr> <td>Query speed improvement</td> <td> <strong>2-6x faster</strong> cold queries, <strong>1.7-2.6x</strong> hot queries (ClickHouse/TextBench)</td> </tr> <tr> <td>Retention period</td> <td>Same or longer — at lower cost</td> </tr> <tr> <td>Unification</td> <td>Logs + traces + metrics + business data in one DB</td> </tr> <tr> <td>AI queries over logs</td> <td>Plain English → SQL → instant answer</td> </tr> </tbody> </table></div> <h2> 2. The Problem — Elasticsearch at $400K/Year </h2> <h3> Where the Cost Comes From </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cost Driver</th> <th>Elasticsearch Behaviour</th> <th>Annual Cost Share</th> </tr> </thead> <tbody> <tr> <td>Storage</td> <td>Row-oriented index, 2-3x compression, needs SSD</td> <td>~$100K</td> </tr> <tr> <td>Compute</td> <td>CPU-heavy indexing on every write, inverted index maintenance</td> <td>~$150K</td> </tr> <tr> <td>Licensing</td> <td>Elastic managed service / Elastic Cloud premium</td> <td>~$100K</td> </tr> <tr> <td>Operations</td> <td>Shard management, index lifecycle management (ILM), tuning</td> <td>~$50K (eng time)</td> </tr> </tbody> </table></div> <h3> The Technical Mismatch </h3> <p>Elasticsearch was built for <strong>full-text search</strong> on documents (web pages, articles). Application logs and OTEL telemetry are <strong>structured time-series data</strong> — they need aggregations, not document search.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>What teams actually query</th> <th>Elasticsearch efficiency</th> <th>ClickHouse efficiency</th> </tr> </thead> <tbody> <tr> <td>"Error count per service last hour"</td> <td>Slow (aggregation on inverted index)</td> <td>Fast (columnar scan)</td> </tr> <tr> <td>"P99 latency for /api/trade endpoint"</td> <td>Slow (percentile aggregation)</td> <td>Fast (built-in quantile functions)</td> </tr> <tr> <td>"Show logs for TraceId = abc123"</td> <td>Fast (indexed term lookup)</td> <td>Fast (bloom filter)</td> </tr> <tr> <td>"Which services degraded after deploy at 14:00?"</td> <td>Medium</td> <td>Fast</td> </tr> <tr> <td>"Free-text: find logs containing OutOfMemoryError"</td> <td>Fast (native)</td> <td>Good (tokenbf bloom filter)</td> </tr> </tbody> </table></div> <p>~90% of real observability queries are aggregations. Elasticsearch is paying full price for a capability (full-text search) that covers only ~10% of use cases.</p> <p><strong>Where ClickHouse wins most — benchmark by query type (cold, 50B rows):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Query Category</th> <th>Examples</th> <th>ClickHouse speedup</th> </tr> </thead> <tbody> <tr> <td>Log retrieval (text match + fetch rows)</td> <td>"Find logs containing OutOfMemoryError"</td> <td>Narrowest gap — ES competitive</td> </tr> <tr> <td>Error/match counts</td> <td>"Count 500 errors in last hour"</td> <td>Moderate advantage</td> </tr> <tr> <td>Service-level breakdowns</td> <td>"Group errors by service"</td> <td>Large advantage</td> </tr> <tr> <td>Time-series trend analysis</td> <td>"Error rate per minute over last 24h"</td> <td><strong>Widest gap — 6x+ faster</strong></td> </tr> </tbody> </table></div> <p>The speedup grows with analytical complexity. Retrieval-only queries (find and show matching rows) is ES's home turf. The moment you add grouping, aggregation, or time-bucketing on top of a text match — the dominant pattern in observability — ClickHouse's vectorized engine pulls away decisively.</p> <h3> Current Stack Pain Points </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Application │ ▼ OTEL SDK (instrumented) OTEL Collector │ ▼ Elasticsearch Exporter Elasticsearch Cluster │ ▼ Kibana ← only UI, no programmatic access </code></pre> </div> <ul> <li>No way to join log data with business data (e.g., "which users were affected by this error?")</li> <li>Kibana dashboards require manual setup — no AI layer</li> <li>Retention limited by cost — older logs are deleted or archived to cold storage with no query access</li> <li>Every new service that emits logs increases Elasticsearch cost linearly</li> </ul> <h2> 3. Why ClickHouse for Observability </h2> <h3> Companies Already Doing This </h3> <p><strong>Cloudflare</strong> — Replaced Elasticsearch with ClickHouse for HTTP logs:</p> <ul> <li>36 petabytes of data</li> <li>Queries that took 30+ seconds in Elasticsearch run in &lt; 1 second in ClickHouse</li> <li>Cost reduced by 80%</li> </ul> <p><strong>Uber</strong> — Migrated logging to ClickHouse:</p> <ul> <li>100+ billion log rows per day</li> <li>Storage reduced from petabytes (Elasticsearch) to terabytes (ClickHouse)</li> </ul> <p><strong>Contentsquare</strong> — OTEL traces and logs in ClickHouse:</p> <ul> <li>50 billion events/day</li> <li>Replaced both Elasticsearch and a custom Cassandra setup</li> </ul> <p><strong>Langfuse</strong> (now part of ClickHouse) — LLM observability platform:</p> <ul> <li>Stores all LLM traces in ClickHouse</li> <li>Handles millions of traces per day</li> <li>This is the same Langfuse we use in the Agentic AI Platform</li> </ul> <h3> ClickHouse vs Elasticsearch for Observability </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Capability</th> <th>Elasticsearch</th> <th>ClickHouse</th> </tr> </thead> <tbody> <tr> <td>Storage model</td> <td>Inverted index (document-oriented)</td> <td>Columnar (OLAP)</td> </tr> <tr> <td>Compression ratio</td> <td>2-3x</td> <td>10-30x</td> </tr> <tr> <td>Aggregation speed</td> <td>Seconds (post-indexing)</td> <td>Milliseconds</td> </tr> <tr> <td>Write throughput</td> <td>Medium (index maintenance overhead)</td> <td>Very high (append-only MergeTree)</td> </tr> <tr> <td>Full-text search</td> <td>Excellent (native inverted index)</td> <td>Good (bloom filter indexes)</td> </tr> <tr> <td>OTEL native support</td> <td>Via Logstash/Beats (extra hop)</td> <td>Native OTEL exporter (direct)</td> </tr> <tr> <td>Cross-data joins</td> <td>Not possible</td> <td>Join logs with business tables</td> </tr> <tr> <td>AI/LLM integration</td> <td>Kibana AI (limited)</td> <td>Full MCP + LLM stack</td> </tr> <tr> <td>Tiered storage</td> <td>ILM (complex config)</td> <td>TTL + S3 (2 lines of SQL)</td> </tr> <tr> <td>License</td> <td>Elastic License (paid tiers)</td> <td>Apache 2.0 (fully open source)</td> </tr> <tr> <td>Operational complexity</td> <td>High (shards, replicas, ILM)</td> <td>Low (MergeTree auto-manages)</td> </tr> </tbody> </table></div> <h3> Key Architectural Advantage </h3> <p>ClickHouse already stores business data (trades, wallets, users, risk) via the Agentic AI Platform. Adding observability data to the <strong>same cluster</strong> means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This query is IMPOSSIBLE in Elasticsearch:</span> <span class="c1">-- "Which users were affected by the 500 errors on trading-service between 14:00-14:30?"</span> <span class="k">SELECT</span> <span class="k">DISTINCT</span> <span class="n">l</span><span class="p">.</span><span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">kyc_status</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">AS</span> <span class="n">error_count</span> <span class="k">FROM</span> <span class="n">otel_logs</span> <span class="n">l</span> <span class="k">JOIN</span> <span class="n">mart_users</span> <span class="n">u</span> <span class="k">ON</span> <span class="n">l</span><span class="p">.</span><span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="o">=</span> <span class="n">u</span><span class="p">.</span><span class="n">username</span> <span class="k">WHERE</span> <span class="n">l</span><span class="p">.</span><span class="n">ServiceName</span> <span class="o">=</span> <span class="s1">'trading-service'</span> <span class="k">AND</span> <span class="n">l</span><span class="p">.</span><span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'ERROR'</span> <span class="k">AND</span> <span class="n">l</span><span class="p">.</span><span class="nb">Timestamp</span> <span class="k">BETWEEN</span> <span class="s1">'2026-04-17 14:00:00'</span> <span class="k">AND</span> <span class="s1">'2026-04-17 14:30:00'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">kyc_status</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">error_count</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>In ClickHouse: one query, instant answer.<br> In Elasticsearch + separate business DB: impossible without custom ETL.</p> <h3> Horizontal Scaling — Parallel Replicas </h3> <p>For high-volume workloads, ClickHouse scales a single query across multiple nodes using <strong>parallel replicas</strong> — the query is split across the replica fleet and results are merged. At 50B rows (same TextBench dataset):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Nodes</th> <th>Total query runtime</th> <th>Speedup</th> </tr> </thead> <tbody> <tr> <td>1 node</td> <td>19.1s</td> <td>baseline</td> </tr> <tr> <td>3 nodes</td> <td>12.5s</td> <td>1.5x</td> </tr> <tr> <td>9 nodes</td> <td>6.45s</td> <td>3x</td> </tr> <tr> <td>20 nodes</td> <td>3.27s</td> <td><strong>5.8x</strong></td> </tr> </tbody> </table></div> <p>For text-search queries specifically, <strong>index sharding</strong> distributes the inverted index analysis across the replica fleet — delivering a 5.8x speedup on full-text queries at scale. This is relevant for any high-volume environment as log volume grows: add nodes, queries get proportionally faster, no schema or application changes needed.</p> <h2> 4. Platform Architecture </h2> <h3> Target Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> +------------------------------------------+ | CRYPTO EXCHANGE APPS | | | | Trading Service Wallet Service | | Risk Service User Service | | API Gateway Background Workers | +-------------------+----------------------+ | OTEL SDK (zero app code change) Auto-instruments: HTTP, DB, Kafka, Redis | +-------------------v----------------------+ | OTEL COLLECTOR | | | | Receivers: OTLP gRPC/HTTP | | Processors: batch, resource, filter | | Exporters: clickhouseexporter | +-------------------+----------------------+ | +-------------------v----------------------+ | CLICKHOUSE CLUSTER | | | | database: otel | | ┌─────────────┬──────────┬──────────┐ | | │ otel_logs │otel_traces│otel_metrics│ | | │ (Logs) │(Traces) │(Metrics) │ | | └─────────────┴──────────┴──────────┘ | | | | database: marts (business data) | | ┌────────────────────────────────────┐ | | │ mart_trades mart_users mart_wallets│ | | └────────────────────────────────────┘ | +---+------------------+-------------------+ | | +------------v---+ +--------v-----------+ | GRAFANA | | LIBRECHAT + LLM | | | | (AI queries over | | Dashboards | | logs in plain | | Trace Viewer | | English) | | Log Explorer | | | | Alerts | | | +----------------+ +--------------------+ </code></pre> </div> <h3> What Changes vs Current Stack </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>OTEL SDK (app)</td> <td>Same</td> <td>Same — zero changes</td> </tr> <tr> <td>OTEL Collector</td> <td>Same</td> <td>Same — only exporter config changes</td> </tr> <tr> <td>Storage</td> <td>Elasticsearch</td> <td>ClickHouse</td> </tr> <tr> <td>Log/Trace UI</td> <td>Kibana</td> <td>Grafana</td> </tr> <tr> <td>Alerting</td> <td>Kibana Alerts</td> <td>Grafana Alerting</td> </tr> <tr> <td>AI queries</td> <td>None</td> <td>LibreChat + Qwen + MCP</td> </tr> <tr> <td>Cross-data correlation</td> <td>Not possible</td> <td>Native SQL joins</td> </tr> </tbody> </table></div> <h3> OTEL Collector Deployment — Two Architectures </h3> <p>There are two ways to deploy the OTEL Collector. Choosing the wrong one causes data loss during ClickHouse restarts or network blips.</p> <h4> Agent-Only (not recommended for production) </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App → OTEL Collector (on same host) → ClickHouse directly </code></pre> </div> <p>Each service runs its own collector. Simple to set up but fragile — if ClickHouse is briefly unreachable, the agent has no buffer and <strong>drops data</strong>. Works for development or low-stakes services.</p> <h4> Aggregator (recommended for production) </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App → OTEL Agent (lightweight, on each host) │ ▼ OTEL Aggregator (central, 1–2 instances) - batches writes - retries on ClickHouse failure - filters/transforms before storage │ ▼ ClickHouse </code></pre> </div> <p>The agent on each host is lightweight — just forwards to the aggregator. The aggregator does the heavy work: batching, retry on failure, PII filtering, routing. If ClickHouse goes down for 5 minutes, the aggregator queues data and flushes when it comes back. <strong>No data loss.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># OTEL Agent config (on each service host — minimal, just forwards)</span> <span class="na">exporters</span><span class="pi">:</span> <span class="na">otlp</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">otel-aggregator.internal:4317</span> <span class="c1"># sends to aggregator, not ClickHouse</span> <span class="c1"># OTEL Aggregator config (central — does batching, retry, filtering)</span> <span class="na">processors</span><span class="pi">:</span> <span class="na">batch</span><span class="pi">:</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">send_batch_size</span><span class="pi">:</span> <span class="m">50000</span> <span class="na">retry_on_failure</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">initial_interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">max_elapsed_time</span><span class="pi">:</span> <span class="s">300s</span> <span class="na">exporters</span><span class="pi">:</span> <span class="na">clickhouse</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">tcp://clickhouse.internal:9000</span> <span class="na">database</span><span class="pi">:</span> <span class="s">otel</span> <span class="na">compress</span><span class="pi">:</span> <span class="s">lz4</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retry_on_failure</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">initial_interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">max_elapsed_time</span><span class="pi">:</span> <span class="s">300s</span> </code></pre> </div> <p><strong>For a crypto exchange:</strong> Use the Aggregator pattern. Trading and wallet services cannot drop observability data — if an incident occurs during a ClickHouse maintenance window, you need the logs.</p> <h2> 5. OpenTelemetry — The Standard We Keep </h2> <h3> Why OTEL is the Right Foundation </h3> <p>OpenTelemetry is a CNCF standard for instrumentation — vendor-neutral, supported by every major cloud provider and observability tool. We keep OTEL as our instrumentation layer. Only the <strong>backend destination</strong> changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Application Code → OTEL SDK → OTEL Collector → [ANY BACKEND] ↑ Swap this: Elasticsearch → ClickHouse </code></pre> </div> <h3> OTEL Data Types We Capture </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Signal</th> <th>What It Is</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><strong>Logs</strong></td> <td>Structured log events with severity, body, attributes</td> <td>"ERROR: failed to execute trade, user=john_doe, error=InsufficientBalance"</td> </tr> <tr> <td><strong>Traces</strong></td> <td>Distributed request flow across services with timing</td> <td>Full journey of a trade order: API → trading-service → PostgreSQL → Kafka</td> </tr> <tr> <td><strong>Metrics</strong></td> <td>Numeric measurements over time</td> <td>HTTP request rate, error rate, latency histogram, DB connection pool size</td> </tr> </tbody> </table></div> <h3> OTEL Collector — Only the Exporter Changes </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># otel-collector-config.yaml</span> <span class="na">receivers</span><span class="pi">:</span> <span class="na">otlp</span><span class="pi">:</span> <span class="na">protocols</span><span class="pi">:</span> <span class="na">grpc</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">0.0.0.0:4317</span> <span class="na">http</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">0.0.0.0:4318</span> <span class="na">processors</span><span class="pi">:</span> <span class="na">batch</span><span class="pi">:</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">send_batch_size</span><span class="pi">:</span> <span class="m">10000</span> <span class="na">memory_limiter</span><span class="pi">:</span> <span class="na">limit_mib</span><span class="pi">:</span> <span class="m">512</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">attributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">environment</span> <span class="na">value</span><span class="pi">:</span> <span class="s">production</span> <span class="na">action</span><span class="pi">:</span> <span class="s">upsert</span> <span class="na">exporters</span><span class="pi">:</span> <span class="c1"># ─── BEFORE (Elasticsearch) ───────────────────────────────</span> <span class="c1"># elasticsearch:</span> <span class="c1"># endpoints: [https://elastic-cluster:9200]</span> <span class="c1"># logs_index: logs-%{+yyyy.MM.dd}</span> <span class="c1"># traces_index: traces-%{+yyyy.MM.dd}</span> <span class="c1"># ─── AFTER (ClickHouse) ────────────────────────────────────</span> <span class="na">clickhouse</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">tcp://clickhouse:9000</span> <span class="na">database</span><span class="pi">:</span> <span class="s">otel</span> <span class="na">logs_table_name</span><span class="pi">:</span> <span class="s">otel_logs</span> <span class="na">traces_table_name</span><span class="pi">:</span> <span class="s">otel_traces</span> <span class="na">metrics_table_name</span><span class="pi">:</span> <span class="s">otel_metrics</span> <span class="na">ttl</span><span class="pi">:</span> <span class="m">90</span> <span class="c1"># days — auto-delete old data</span> <span class="na">compress</span><span class="pi">:</span> <span class="s">lz4</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retry_on_failure</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">initial_interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">max_interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">max_elapsed_time</span><span class="pi">:</span> <span class="s">300s</span> <span class="na">service</span><span class="pi">:</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="na">logs</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">,</span> <span class="nv">resource</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">clickhouse</span><span class="pi">]</span> <span class="na">traces</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">,</span> <span class="nv">resource</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">clickhouse</span><span class="pi">]</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">,</span> <span class="nv">resource</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">clickhouse</span><span class="pi">]</span> </code></pre> </div> <p><strong>That is the only config change needed.</strong> Applications keep emitting OTEL. The collector keeps receiving. Only the destination changes.</p> <h3> Application Instrumentation — Zero Code Changes </h3> <p>For most languages, attach the OTEL agent at startup:</p> <h4> Java (Spring Boot / any JVM) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add to JVM startup — auto-instruments HTTP, JDBC, Kafka, Redis</span> java <span class="nt">-javaagent</span>:opentelemetry-javaagent.jar <span class="se">\</span> <span class="nt">-Dotel</span>.service.name<span class="o">=</span>trading-service <span class="se">\</span> <span class="nt">-Dotel</span>.exporter.otlp.endpoint<span class="o">=</span>http://otel-collector:4317 <span class="se">\</span> <span class="nt">-Dotel</span>.traces.exporter<span class="o">=</span>otlp <span class="se">\</span> <span class="nt">-Dotel</span>.metrics.exporter<span class="o">=</span>otlp <span class="se">\</span> <span class="nt">-Dotel</span>.logs.exporter<span class="o">=</span>otlp <span class="se">\</span> <span class="nt">-jar</span> trading-service.jar </code></pre> </div> <h4> Python (FastAPI / Django) </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add 3 lines at startup — auto-instruments HTTP, PostgreSQL, Redis </span><span class="kn">from</span> <span class="n">opentelemetry.instrumentation.fastapi</span> <span class="kn">import</span> <span class="n">FastAPIInstrumentor</span> <span class="kn">from</span> <span class="n">opentelemetry.instrumentation.psycopg2</span> <span class="kn">import</span> <span class="n">Psycopg2Instrumentor</span> <span class="kn">from</span> <span class="n">opentelemetry.instrumentation.requests</span> <span class="kn">import</span> <span class="n">RequestsInstrumentor</span> <span class="n">FastAPIInstrumentor</span><span class="p">.</span><span class="nf">instrument_app</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="nc">Psycopg2Instrumentor</span><span class="p">().</span><span class="nf">instrument</span><span class="p">()</span> <span class="nc">RequestsInstrumentor</span><span class="p">().</span><span class="nf">instrument</span><span class="p">()</span> </code></pre> </div> <h4> Node.js </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// tracing.js — load before anything else via --require</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@opentelemetry/auto-instrumentations-node/register</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Auto-instruments: express, pg, http, redis, mongoose, kafka</span> </code></pre> </div> <h2> 5b. Collection Agent Options — OTEL vs Fluent Bit vs Vector </h2> <p>OTEL Collector is not the only way to ship data to ClickHouse. Three agents are production-proven. The compression difference between them is significant enough to affect your storage cost.</p> <h3> Compression Comparison (real benchmarks — identical log dataset) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Agent</th> <th>Compression Ratio</th> <th>Status</th> <th>Protocol</th> </tr> </thead> <tbody> <tr> <td><strong>Fluent Bit</strong></td> <td><strong>33×</strong></td> <td>Mature</td> <td>HTTP JSONEachRow</td> </tr> <tr> <td><strong>Vector</strong></td> <td><strong>21×</strong></td> <td>Beta / widely used</td> <td>HTTP JSON</td> </tr> <tr> <td><strong>OTEL Collector</strong></td> <td><strong>14×</strong></td> <td>Alpha for ClickHouse exporter</td> <td>Native ClickHouse TCP</td> </tr> </tbody> </table></div> <p>Fluent Bit achieves 33× compression because it gives you full control over the schema — you define exactly which fields land in which typed columns. OTEL Collector uses a fixed schema (Map types for attributes) which is more flexible but less compressible.</p> <p><strong>For a crypto exchange:</strong> OTEL Collector is the right default because we already use OTEL instrumentation end-to-end and the fixed schema covers all signals. If storage cost becomes a concern at high volume, Fluent Bit is the migration path — it requires a custom schema but delivers the best compression.</p> <h3> When to Use Each </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Agent</th> <th>Use When</th> </tr> </thead> <tbody> <tr> <td><strong>OTEL Collector</strong></td> <td>You already emit OTEL signals (our case). Single config change, zero app changes. Traces + logs + metrics in one pipeline.</td> </tr> <tr> <td><strong>Fluent Bit</strong></td> <td>K8s environment, log-heavy workload, storage cost is a priority. Best compression. Mature and battle-tested. Does not handle traces.</td> </tr> <tr> <td><strong>Vector</strong></td> <td>You want a fully custom schema with maximum flexibility. Good middle ground — better compression than OTEL, handles more data types than Fluent Bit.</td> </tr> </tbody> </table></div> <h3> Fluent Bit → ClickHouse Config (for reference) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># fluent-bit.yaml — ships K8s pod logs directly to ClickHouse</span> <span class="pi">[</span><span class="nv">OUTPUT</span><span class="pi">]</span> <span class="s">Name clickhouse</span> <span class="s">Match *</span> <span class="s">Host clickhouse.internal</span> <span class="s">Port </span><span class="m">8123</span> <span class="s">Database otel</span> <span class="s">Table fluent_logs</span> <span class="s"># Critical</span><span class="err">:</span> <span class="s">async inserts prevent too-small-batch errors</span> <span class="s">async_insert </span><span class="m">1</span> <span class="s">flush 10s</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Custom schema for Fluent Bit (33x compression)</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">fluent_logs</span> <span class="p">(</span> <span class="nb">timestamp</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">Delta</span><span class="p">,</span> <span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">pod_name</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">namespace</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">container_name</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">severity</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">message</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">kubernetes_labels</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="p">)</span> <span class="n">ENGINE</span> <span class="o">=</span> <span class="n">MergeTree</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">toDate</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="p">(</span><span class="n">namespace</span><span class="p">,</span> <span class="n">pod_name</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span><span class="p">;</span> </code></pre> </div> <blockquote> <p><strong>Important:</strong> Fluent Bit requires <code>async_insert=1</code> and flush intervals ≥10 seconds. Without this, each log line triggers a separate HTTP insert and ClickHouse performance degrades significantly from too many small writes.</p> </blockquote> <h2> 6. ClickHouse Schema — Logs, Traces, Metrics </h2> <h3> Logs Table </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="p">(</span> <span class="nb">Timestamp</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">Delta</span><span class="p">,</span> <span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">TraceId</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">SpanId</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">TraceFlags</span> <span class="n">UInt32</span><span class="p">,</span> <span class="n">SeverityText</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="c1">-- ERROR, WARN, INFO, DEBUG</span> <span class="n">SeverityNumber</span> <span class="n">Int32</span><span class="p">,</span> <span class="n">ServiceName</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">Body</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ResourceSchemaUrl</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ResourceAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ScopeSchemaUrl</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ScopeName</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ScopeVersion</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ScopeAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">LogAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="c1">-- Skip indexes for fast filtering (replaces Elasticsearch inverted index for common patterns)</span> <span class="k">INDEX</span> <span class="n">idx_trace_id</span> <span class="n">TraceId</span> <span class="k">TYPE</span> <span class="n">bloom_filter</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">001</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">1</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_body</span> <span class="n">Body</span> <span class="k">TYPE</span> <span class="n">tokenbf_v1</span><span class="p">(</span><span class="mi">32768</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">1</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_service</span> <span class="n">ServiceName</span> <span class="k">TYPE</span> <span class="k">set</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">4</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_severity</span> <span class="n">SeverityText</span> <span class="k">TYPE</span> <span class="k">set</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">4</span> <span class="p">)</span> <span class="n">ENGINE</span> <span class="o">=</span> <span class="n">MergeTree</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">toDate</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="p">(</span><span class="n">ServiceName</span><span class="p">,</span> <span class="n">SeverityText</span><span class="p">,</span> <span class="n">toUnixTimestamp</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">))</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span> <span class="n">SETTINGS</span> <span class="n">index_granularity</span> <span class="o">=</span> <span class="mi">8192</span><span class="p">;</span> </code></pre> </div> <h3> Traces Table </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_traces</span> <span class="p">(</span> <span class="nb">Timestamp</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">Delta</span><span class="p">,</span> <span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">TraceId</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">SpanId</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ParentSpanId</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">TraceState</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">SpanName</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">SpanKind</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="c1">-- SERVER, CLIENT, PRODUCER, CONSUMER</span> <span class="n">ServiceName</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">ResourceAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">SpanAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">Duration</span> <span class="n">Int64</span><span class="p">,</span> <span class="c1">-- nanoseconds</span> <span class="n">StatusCode</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="c1">-- STATUS_CODE_OK, STATUS_CODE_ERROR</span> <span class="n">StatusMessage</span> <span class="n">String</span><span class="p">,</span> <span class="n">Events</span> <span class="n">Nested</span> <span class="p">(</span> <span class="nb">Timestamp</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">),</span> <span class="n">Name</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">Attributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="p">),</span> <span class="n">Links</span> <span class="n">Nested</span> <span class="p">(</span> <span class="n">TraceId</span> <span class="n">String</span><span class="p">,</span> <span class="n">SpanId</span> <span class="n">String</span><span class="p">,</span> <span class="n">TraceState</span> <span class="n">String</span><span class="p">,</span> <span class="n">Attributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_trace_id</span> <span class="n">TraceId</span> <span class="k">TYPE</span> <span class="n">bloom_filter</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">001</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">1</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_span_name</span> <span class="n">SpanName</span> <span class="k">TYPE</span> <span class="k">set</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">4</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_service</span> <span class="n">ServiceName</span> <span class="k">TYPE</span> <span class="k">set</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="n">GRANULARITY</span> <span class="mi">4</span> <span class="p">)</span> <span class="n">ENGINE</span> <span class="o">=</span> <span class="n">MergeTree</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">toDate</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="p">(</span><span class="n">ServiceName</span><span class="p">,</span> <span class="n">SpanName</span><span class="p">,</span> <span class="n">toUnixTimestamp</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">))</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span><span class="p">;</span> </code></pre> </div> <h3> Metrics Table </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_metrics</span> <span class="p">(</span> <span class="n">ResourceAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ResourceSchemaUrl</span> <span class="n">String</span><span class="p">,</span> <span class="n">ScopeName</span> <span class="n">String</span><span class="p">,</span> <span class="n">ScopeVersion</span> <span class="n">String</span><span class="p">,</span> <span class="n">ScopeAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">ScopeDroppedAttrCount</span> <span class="n">UInt32</span><span class="p">,</span> <span class="n">ScopeSchemaUrl</span> <span class="n">String</span><span class="p">,</span> <span class="n">MetricName</span> <span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">MetricDescription</span> <span class="n">String</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">MetricUnit</span> <span class="n">String</span><span class="p">,</span> <span class="n">Attributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">StartTimeUnix</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">Delta</span><span class="p">,</span> <span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">TimeUnix</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">Delta</span><span class="p">,</span> <span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">Value</span> <span class="n">Float64</span> <span class="n">CODEC</span><span class="p">(</span><span class="n">ZSTD</span><span class="p">(</span><span class="mi">1</span><span class="p">)),</span> <span class="n">Flags</span> <span class="n">UInt32</span><span class="p">,</span> <span class="n">Exemplars</span> <span class="n">Nested</span> <span class="p">(</span> <span class="n">FilteredAttributes</span> <span class="k">Map</span><span class="p">(</span><span class="n">LowCardinality</span><span class="p">(</span><span class="n">String</span><span class="p">),</span> <span class="n">String</span><span class="p">),</span> <span class="n">TimeUnix</span> <span class="n">DateTime64</span><span class="p">(</span><span class="mi">9</span><span class="p">),</span> <span class="n">Value</span> <span class="n">Float64</span><span class="p">,</span> <span class="n">SpanId</span> <span class="n">String</span><span class="p">,</span> <span class="n">TraceId</span> <span class="n">String</span> <span class="p">),</span> <span class="n">AggTemp</span> <span class="n">Int32</span><span class="p">,</span> <span class="n">IsMonotonic</span> <span class="n">UInt8</span> <span class="p">)</span> <span class="n">ENGINE</span> <span class="o">=</span> <span class="n">MergeTree</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">toDate</span><span class="p">(</span><span class="n">TimeUnix</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="p">(</span><span class="n">MetricName</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">toUnixTimestamp</span><span class="p">(</span><span class="n">TimeUnix</span><span class="p">))</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="n">TimeUnix</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span> <span class="n">SETTINGS</span> <span class="n">index_granularity</span> <span class="o">=</span> <span class="mi">8192</span><span class="p">;</span> </code></pre> </div> <h3> Why <code>LowCardinality</code> and <code>CODEC</code> Matter </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Optimization</th> <th>What It Does</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td><code>LowCardinality(String)</code></td> <td>Dictionary-encodes repeated values (ServiceName, SeverityText)</td> <td>3-5x compression + faster filtering</td> </tr> <tr> <td> <code>CODEC(Delta, ZSTD(1))</code> on Timestamp</td> <td>Delta encodes sequential timestamps, then ZSTD compresses</td> <td>5-10x compression on time columns</td> </tr> <tr> <td> <code>CODEC(ZSTD(1))</code> on String cols</td> <td>General purpose compression</td> <td>3-7x</td> </tr> <tr> <td> <code>bloom_filter</code> index on TraceId</td> <td>Skips data blocks that can't contain the TraceId</td> <td>Near O(1) lookup</td> </tr> <tr> <td> <code>tokenbf_v1</code> index on Body</td> <td>Token-based bloom filter for keyword search</td> <td>Skips irrelevant blocks without full scan</td> </tr> <tr> <td><code>PARTITION BY toDate(Timestamp)</code></td> <td>One partition per day — old days auto-deleted by TTL</td> <td>Instant TTL, no maintenance</td> </tr> <tr> <td><code>ORDER BY (ServiceName, SeverityText, Timestamp)</code></td> <td>Most queries filter by service + severity + time</td> <td>Queries read minimal data</td> </tr> </tbody> </table></div> <h2> 7. End-to-End Distributed Tracing — HTTP to ClickHouse </h2> <h3> The Full Trace Flow </h3> <p>Every incoming HTTP request gets a <code>TraceId</code>. That same ID propagates through every service and DB call. ClickHouse stores all spans. Grafana shows the waterfall.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser → [traceparent header injected] │ ▼ [1] Nginx → Span: http.server (method, url, status, duration) │ propagates traceparent to upstream ▼ [2] API Gateway → Span: route handling │ ▼ [3] Trading Service → Span: business logic │ ┌─────┴──────┐ ▼ ▼ [4] PostgreSQL [5] ClickHouse → Span: db.query (SQL text, duration, rows) (OTEL JDBC auto) (native OTEL) │ ▼ [6] Kafka Producer → Span: messaging.publish (topic, partition) All spans → OTEL Collector → ClickHouse otel_traces table │ ▼ Grafana Trace UI (full waterfall) </code></pre> </div> <h3> Layer 1 — Nginx (Trace Entry Point) </h3> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># nginx.conf</span> <span class="k">load_module</span> <span class="nc">modules/ngx</span><span class="s">_otel_module.so</span><span class="p">;</span> <span class="k">http</span> <span class="p">{</span> <span class="kn">otel_exporter</span> <span class="p">{</span> <span class="kn">endpoint</span> <span class="nf">otel-collector</span><span class="p">:</span><span class="mi">4317</span><span class="p">;</span> <span class="p">}</span> <span class="kn">otel_service_name</span> <span class="s">"api-gateway"</span><span class="p">;</span> <span class="kn">otel_trace</span> <span class="no">on</span><span class="p">;</span> <span class="kn">otel_trace_context</span> <span class="s">propagate</span><span class="p">;</span> <span class="c1"># injects traceparent into upstream request</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">location</span> <span class="n">/api/</span> <span class="p">{</span> <span class="kn">otel_trace</span> <span class="no">on</span><span class="p">;</span> <span class="kn">otel_span_name</span> <span class="s">"</span><span class="nv">$request_method</span> <span class="nv">$uri</span><span class="s">"</span><span class="p">;</span> <span class="kn">otel_span_attr</span> <span class="s">http.method</span> <span class="nv">$request_method</span><span class="p">;</span> <span class="kn">otel_span_attr</span> <span class="s">http.url</span> <span class="nv">$uri</span><span class="p">;</span> <span class="kn">otel_span_attr</span> <span class="s">http.status</span> <span class="nv">$status</span><span class="p">;</span> <span class="kn">proxy_pass</span> <span class="s">http://backend</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 2 — Application Services (Auto-Instrumented) </h3> <p>OTEL Java agent auto-instruments every JDBC query. For ClickHouse queries, pass the context explicitly:</p> <h4> Python — Tracing ClickHouse Queries </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="kn">from</span> <span class="n">opentelemetry.propagate</span> <span class="kn">import</span> <span class="n">inject</span> <span class="kn">import</span> <span class="n">clickhouse_connect</span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="sh">"</span><span class="s">trading-service</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_user_risk_profile</span><span class="p">(</span><span class="n">username</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">clickhouse.mart_user_risk_profile</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">db.system</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">clickhouse</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">db.name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">marts</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">db.operation</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SELECT</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">db.statement</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SELECT * FROM mart_user_risk_profile WHERE username = ?</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Inject current trace context into ClickHouse HTTP headers </span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{}</span> <span class="nf">inject</span><span class="p">(</span><span class="n">headers</span><span class="p">)</span> <span class="n">client</span> <span class="o">=</span> <span class="n">clickhouse_connect</span><span class="p">.</span><span class="nf">get_client</span><span class="p">(</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">clickhouse</span><span class="sh">"</span><span class="p">,</span> <span class="n">http_headers</span><span class="o">=</span><span class="n">headers</span> <span class="c1"># ClickHouse reads traceparent from here </span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT * FROM mart_user_risk_profile WHERE username = {username:String}</span><span class="sh">"</span><span class="p">,</span> <span class="n">parameters</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">}</span> <span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">db.rows_returned</span><span class="sh">"</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">result_rows</span><span class="p">))</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="n">result_rows</span> </code></pre> </div> <h4> Go — Tracing ClickHouse Queries </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/ClickHouse/clickhouse-go/v2"</span> <span class="s">"go.opentelemetry.io/otel"</span> <span class="s">"go.opentelemetry.io/otel/attribute"</span> <span class="p">)</span> <span class="n">tracer</span> <span class="o">:=</span> <span class="n">otel</span><span class="o">.</span><span class="n">Tracer</span><span class="p">(</span><span class="s">"trading-service"</span><span class="p">)</span> <span class="k">func</span> <span class="n">getTopTraders</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">([]</span><span class="n">Trader</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">span</span> <span class="o">:=</span> <span class="n">tracer</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"clickhouse.mart_trades_futures"</span><span class="p">)</span> <span class="k">defer</span> <span class="n">span</span><span class="o">.</span><span class="n">End</span><span class="p">()</span> <span class="n">span</span><span class="o">.</span><span class="n">SetAttributes</span><span class="p">(</span> <span class="n">attribute</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="s">"db.system"</span><span class="p">,</span> <span class="s">"clickhouse"</span><span class="p">),</span> <span class="n">attribute</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="s">"db.operation"</span><span class="p">,</span> <span class="s">"SELECT"</span><span class="p">),</span> <span class="n">attribute</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="s">"db.statement"</span><span class="p">,</span> <span class="s">"SELECT username, SUM(quantity*price) FROM mart_trades_futures ..."</span><span class="p">),</span> <span class="p">)</span> <span class="c">// clickhouse-go/v2 propagates ctx trace headers automatically</span> <span class="n">conn</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">clickhouse</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="o">&amp;</span><span class="n">clickhouse</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">Addr</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"clickhouse:9000"</span><span class="p">},</span> <span class="p">})</span> <span class="n">rows</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">conn</span><span class="o">.</span><span class="n">QueryContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">` SELECT username, SUM(quantity * price) as volume FROM mart_trades_futures WHERE transaction_time &gt;= today() GROUP BY username ORDER BY volume DESC LIMIT 10 `</span><span class="p">)</span> <span class="k">return</span> <span class="n">parseRows</span><span class="p">(</span><span class="n">rows</span><span class="p">),</span> <span class="n">err</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 3 — ClickHouse Native Tracing </h3> <p>ClickHouse reads the <code>traceparent</code> header from every query and emits its own internal spans to <code>system.opentelemetry_span_log</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ClickHouse internal spans for a specific trace</span> <span class="k">SELECT</span> <span class="n">trace_id</span><span class="p">,</span> <span class="n">span_id</span><span class="p">,</span> <span class="n">parent_span_id</span><span class="p">,</span> <span class="n">operation_name</span><span class="p">,</span> <span class="p">(</span><span class="n">finish_time_us</span> <span class="o">-</span> <span class="n">start_time_us</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1000</span> <span class="k">AS</span> <span class="n">duration_ms</span><span class="p">,</span> <span class="n">attribute</span><span class="p">[</span><span class="s1">'clickhouse.query'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">sql_query</span> <span class="k">FROM</span> <span class="k">system</span><span class="p">.</span><span class="n">opentelemetry_span_log</span> <span class="k">WHERE</span> <span class="n">trace_id</span> <span class="o">=</span> <span class="s1">'4bf92f3577b34da6a3ce929d0e0e4736'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">start_time_us</span><span class="p">;</span> </code></pre> </div> <p>Export these to <code>otel_traces</code> via a materialized view so they appear in Grafana alongside app spans:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Auto-export ClickHouse internal spans to otel_traces</span> <span class="k">CREATE</span> <span class="n">MATERIALIZED</span> <span class="k">VIEW</span> <span class="n">otel</span><span class="p">.</span><span class="n">clickhouse_spans_mv</span> <span class="k">TO</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_traces</span> <span class="k">AS</span> <span class="k">SELECT</span> <span class="n">fromUnixTimestamp64Micro</span><span class="p">(</span><span class="n">start_time_us</span><span class="p">)</span> <span class="k">AS</span> <span class="nb">Timestamp</span><span class="p">,</span> <span class="k">lower</span><span class="p">(</span><span class="n">hex</span><span class="p">(</span><span class="n">trace_id</span><span class="p">))</span> <span class="k">AS</span> <span class="n">TraceId</span><span class="p">,</span> <span class="k">lower</span><span class="p">(</span><span class="n">hex</span><span class="p">(</span><span class="n">span_id</span><span class="p">))</span> <span class="k">AS</span> <span class="n">SpanId</span><span class="p">,</span> <span class="k">lower</span><span class="p">(</span><span class="n">hex</span><span class="p">(</span><span class="n">parent_span_id</span><span class="p">))</span> <span class="k">AS</span> <span class="n">ParentSpanId</span><span class="p">,</span> <span class="s1">''</span> <span class="k">AS</span> <span class="n">TraceState</span><span class="p">,</span> <span class="n">operation_name</span> <span class="k">AS</span> <span class="n">SpanName</span><span class="p">,</span> <span class="s1">'SPAN_KIND_SERVER'</span> <span class="k">AS</span> <span class="n">SpanKind</span><span class="p">,</span> <span class="s1">'clickhouse'</span> <span class="k">AS</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="k">map</span><span class="p">()</span> <span class="k">AS</span> <span class="n">ResourceAttributes</span><span class="p">,</span> <span class="n">attribute</span> <span class="k">AS</span> <span class="n">SpanAttributes</span><span class="p">,</span> <span class="p">(</span><span class="n">finish_time_us</span> <span class="o">-</span> <span class="n">start_time_us</span><span class="p">)</span> <span class="o">*</span> <span class="mi">1000</span> <span class="k">AS</span> <span class="n">Duration</span><span class="p">,</span> <span class="c1">-- convert to nanoseconds</span> <span class="s1">'STATUS_CODE_OK'</span> <span class="k">AS</span> <span class="n">StatusCode</span><span class="p">,</span> <span class="s1">''</span> <span class="k">AS</span> <span class="n">StatusMessage</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Events.Timestamp`</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Events.Name`</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Events.Attributes`</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Links.TraceId`</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Links.SpanId`</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Links.TraceState`</span><span class="p">,</span> <span class="p">[]</span> <span class="k">AS</span> <span class="nv">`Links.Attributes`</span> <span class="k">FROM</span> <span class="k">system</span><span class="p">.</span><span class="n">opentelemetry_span_log</span><span class="p">;</span> </code></pre> </div> <h3> What a Full Trace Looks Like in ClickHouse </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Full waterfall for a single trade request</span> <span class="k">SELECT</span> <span class="n">SpanName</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">Duration</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">duration_ms</span><span class="p">,</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'http.method'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">http_method</span><span class="p">,</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'http.route'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">route</span><span class="p">,</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'db.statement'</span><span class="p">]</span> <span class="k">AS</span> <span class="k">sql</span><span class="p">,</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'db.rows_affected'</span><span class="p">]</span> <span class="k">AS</span> <span class="k">rows</span><span class="p">,</span> <span class="n">StatusCode</span><span class="p">,</span> <span class="nb">Timestamp</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_traces</span> <span class="k">WHERE</span> <span class="n">TraceId</span> <span class="o">=</span> <span class="s1">'4bf92f3577b34da6a3ce929d0e0e4736'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">Timestamp</span> <span class="k">ASC</span><span class="p">;</span> </code></pre> </div> <p><strong>Result — full waterfall in one query:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SpanName Service duration_ms ────────────────────────────── ──────────────────── ─────────── http.server POST /api/trade api-gateway 245.3 ms └─ trade.execute trading-service 241.1 ms ├─ db.query (risk check) trading-service 18.4 ms ← SELECT mart_user_risk_profile ├─ db.query (insert trade) trading-service 4.2 ms ← INSERT INTO mart_trades_futures ├─ SELECT (internal CH) clickhouse 3.1 ms ← ClickHouse internal span └─ kafka.produce trading-service 2.1 ms </code></pre> </div> <h2> 8. Full-Text Log Search — Replacing Kibana Discover </h2> <h3> Updated Position — ClickHouse Now Competitive on Full-Text Search </h3> <p>Full-text search used to be the primary reason to keep Elasticsearch. ClickHouse has significantly closed this gap with a <strong>new <code>text</code> index type</strong> that works natively on object storage (S3) with the same performance as local disk — removing the last major technical advantage Elasticsearch held.</p> <blockquote> <p>Reference: <a href="https://clickhouse.com/blog/clickhouse-full-text-search-object-storage" rel="noopener noreferrer">ClickHouse Full-Text Search on Object Storage</a></p> </blockquote> <h3> New <code>text</code> Index — How to Add It to otel_logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Add the new text index to the Body column</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">ADD</span> <span class="k">INDEX</span> <span class="n">body_text_idx</span><span class="p">(</span><span class="n">Body</span><span class="p">)</span> <span class="k">TYPE</span> <span class="nb">text</span><span class="p">(</span><span class="n">tokenizer</span> <span class="o">=</span> <span class="s1">'splitByNonAlpha'</span><span class="p">,</span> <span class="n">preprocessor</span> <span class="o">=</span> <span class="k">lower</span><span class="p">(</span><span class="n">Body</span><span class="p">))</span> <span class="n">GRANULARITY</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">-- Materialize the index on existing data</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="n">MATERIALIZE</span> <span class="k">INDEX</span> <span class="n">body_text_idx</span><span class="p">;</span> </code></pre> </div> <p><strong>What the <code>text</code> index supports:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Function</th> <th>Example</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td><code>hasToken</code></td> <td><code>hasToken(Body, 'OutOfMemoryError')</code></td> <td>Exact token match — fastest</td> </tr> <tr> <td><code>hasAllTokens</code></td> <td><code>hasAllTokens(Body, ['trade', 'failed'])</code></td> <td>All tokens must appear</td> </tr> <tr> <td><code>hasAnyTokens</code></td> <td><code>hasAnyTokens(Body, ['ERROR', 'FATAL'])</code></td> <td>Any token match</td> </tr> <tr> <td><code>LIKE</code></td> <td><code>Body LIKE '%OutOfMemoryError%'</code></td> <td>Wildcard match</td> </tr> <tr> <td><code>startsWith</code></td> <td><code>startsWith(Body, 'WARN')</code></td> <td>Prefix match</td> </tr> <tr> <td> <code>match</code> (regex)</td> <td><code>match(Body, 'user_[0-9]+')</code></td> <td>Regex search</td> </tr> </tbody> </table></div> <p><strong>Performance:</strong> 7.4x speedup vs full table scan on text search (ClickHouse benchmark, 10M rows with array tags).</p> <p><strong>Why it works on S3:</strong> The index uses sequential dictionary reads with front-coding compression — no random I/O, which is the key constraint on object storage. 94.5% of tokens appear in ≤6 rows, so embedded posting lists handle the vast majority of lookups without reading large posting lists.</p> <blockquote> <p><strong>Real-world proof point — gitTrends:</strong> ClickHouse's own reference demo (<a href="https://github.com/ClickHouse/gitTrends" rel="noopener noreferrer">github.com/ClickHouse/gitTrends</a>) searches <strong>10 billion+ GitHub events</strong> using <code>hasToken()</code> on a <code>body</code> text index — the exact same pattern used for log search here. The app lets users compare FTS index vs bloom-filter skip index vs full table scan in real time, with live row-scan counters streamed from ClickHouse. Sub-second queries at 10B rows validate the production viability of <code>hasToken()</code> for high-volume text search workloads.</p> </blockquote> <h3> How ClickHouse Handles Log Search </h3> <h4> Keyword Search — New <code>text</code> index (preferred) </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Uses new text index — 7.4x faster than full scan</span> <span class="k">SELECT</span> <span class="nb">Timestamp</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">SeverityText</span><span class="p">,</span> <span class="n">Body</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">hasToken</span><span class="p">(</span><span class="n">Body</span><span class="p">,</span> <span class="s1">'OutOfMemoryError'</span><span class="p">)</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">1</span> <span class="n">HOUR</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">Timestamp</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">100</span><span class="p">;</span> <span class="c1">-- LIKE also uses the text index automatically</span> <span class="k">SELECT</span> <span class="nb">Timestamp</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">SeverityText</span><span class="p">,</span> <span class="n">Body</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">Body</span> <span class="k">LIKE</span> <span class="s1">'%OutOfMemoryError%'</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">1</span> <span class="n">HOUR</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">Timestamp</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">100</span><span class="p">;</span> </code></pre> </div> <h4> Exact TraceId Lookup (bloom filter) </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Near O(1) — bloom_filter index makes this very fast</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">TraceId</span> <span class="o">=</span> <span class="s1">'abc123def456'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">Timestamp</span><span class="p">;</span> </code></pre> </div> <h4> Structured Attribute Search </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Filter on OTEL log attributes — common in structured logging</span> <span class="k">SELECT</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">AS</span> <span class="n">error_count</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'http.status_code'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'500'</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">today</span><span class="p">()</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">ServiceName</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">error_count</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <h4> Multi-Condition Log Search (most common Kibana query) </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- "All ERROR logs from trading-service in last 2 hours that mention user_id"</span> <span class="k">SELECT</span> <span class="nb">Timestamp</span><span class="p">,</span> <span class="n">SeverityText</span><span class="p">,</span> <span class="n">Body</span><span class="p">,</span> <span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'error_code'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">error_code</span><span class="p">,</span> <span class="n">TraceId</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">ServiceName</span> <span class="o">=</span> <span class="s1">'trading-service'</span> <span class="k">AND</span> <span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'ERROR'</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">2</span> <span class="n">HOUR</span> <span class="k">AND</span> <span class="n">hasToken</span><span class="p">(</span><span class="n">Body</span><span class="p">,</span> <span class="s1">'user_id'</span><span class="p">)</span> <span class="c1">-- uses text index</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">Timestamp</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">200</span><span class="p">;</span> </code></pre> </div> <h4> Case-Insensitive Search (preprocessor) </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- The text index preprocessor lowercases at index time — search is case-insensitive</span> <span class="k">SELECT</span> <span class="nb">Timestamp</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">Body</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">hasToken</span><span class="p">(</span><span class="k">lower</span><span class="p">(</span><span class="n">Body</span><span class="p">),</span> <span class="s1">'outofmemoryerror'</span><span class="p">)</span> <span class="c1">-- matches OOM, oom, Oom, etc.</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">1</span> <span class="n">HOUR</span><span class="p">;</span> </code></pre> </div> <h3> Full-Text Search Comparison — Updated </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Query Type</th> <th>Elasticsearch</th> <th>ClickHouse</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Exact token match (<code>hasToken</code>)</td> <td>~10ms</td> <td><strong>~15-30ms</strong></td> <td>Near-comparable with text index</td> </tr> <tr> <td>Keyword search (<code>LIKE</code>)</td> <td>~10ms</td> <td><strong>~20-50ms</strong></td> <td>text index — 7.4x faster than scan</td> </tr> <tr> <td>Structured attribute filter</td> <td>~50ms</td> <td>~5-20ms</td> <td>CH wins (columnar)</td> </tr> <tr> <td>Aggregation (error count by service)</td> <td>~200ms-2s</td> <td>~10-50ms</td> <td>CH wins significantly</td> </tr> <tr> <td>Time-range + service filter</td> <td>~100ms</td> <td>~10-30ms</td> <td>CH wins (partition pruning)</td> </tr> <tr> <td>TraceId lookup</td> <td>~10ms</td> <td>~20-50ms</td> <td>Comparable (bloom filter)</td> </tr> <tr> <td>Free-text fuzzy search</td> <td>Excellent</td> <td>Good (regex via <code>match()</code>)</td> <td>ES still leads for fuzzy</td> </tr> <tr> <td>Search on S3/object storage</td> <td>Degraded (SSD required)</td> <td><strong>Full speed on S3</strong></td> <td>CH advantage — no SSD needed</td> </tr> </tbody> </table></div> <p><strong>Bottom line:</strong> ~95% of observability queries are structured (service + time + severity + attribute) — ClickHouse wins on all of those. For the remaining ~5% requiring keyword search in log bodies, the new <code>text</code> index brings ClickHouse to near-Elasticsearch performance. The only remaining ES advantage is fuzzy/phrase search, which is rarely needed for structured application logs.</p> <p><strong>Coming soon in ClickHouse:</strong> phrase search (position-aware token matching) and JSON column indexing — which will close the remaining gap further.</p> <h2> 9. Visualization — Grafana Replaces Kibana </h2> <h3> Setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install ClickHouse datasource plugin</span> grafana-cli plugins <span class="nb">install </span>grafana-clickhouse-datasource <span class="c"># Or in docker-compose:</span> environment: - <span class="nv">GF_INSTALL_PLUGINS</span><span class="o">=</span>grafana-clickhouse-datasource </code></pre> </div> <h3> Datasource Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># grafana/provisioning/datasources/clickhouse.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">datasources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ClickHouse-OTEL</span> <span class="na">type</span><span class="pi">:</span> <span class="s">grafana-clickhouse-datasource</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">clickhouse-otel</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">clickhouse</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9000</span> <span class="na">database</span><span class="pi">:</span> <span class="s">otel</span> <span class="na">username</span><span class="pi">:</span> <span class="s">grafana_readonly</span> <span class="na">secureJsonData</span><span class="pi">:</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${GRAFANA_CH_PASSWORD}</span> </code></pre> </div> <h3> Key Dashboards to Build </h3> <h4> 1. Service Health Overview </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Error rate per service — last 1 hour, 1-minute buckets</span> <span class="k">SELECT</span> <span class="n">toStartOfMinute</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="nb">time</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">countIf</span><span class="p">(</span><span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'ERROR'</span><span class="p">)</span> <span class="k">AS</span> <span class="n">errors</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">AS</span> <span class="n">total</span><span class="p">,</span> <span class="n">errors</span> <span class="o">/</span> <span class="n">total</span> <span class="o">*</span> <span class="mi">100</span> <span class="k">AS</span> <span class="n">error_rate_pct</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">1</span> <span class="n">HOUR</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="nb">time</span><span class="p">,</span> <span class="n">ServiceName</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">time</span> <span class="k">ASC</span><span class="p">;</span> </code></pre> </div> <h4> 2. Latency Distribution (P50 / P95 / P99) </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- HTTP endpoint latency percentiles — last 30 minutes</span> <span class="k">SELECT</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'http.route'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">endpoint</span><span class="p">,</span> <span class="n">quantile</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">50</span><span class="p">)(</span><span class="n">Duration</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">p50_ms</span><span class="p">,</span> <span class="n">quantile</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">95</span><span class="p">)(</span><span class="n">Duration</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">p95_ms</span><span class="p">,</span> <span class="n">quantile</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">99</span><span class="p">)(</span><span class="n">Duration</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">AS</span> <span class="n">request_count</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_traces</span> <span class="k">WHERE</span> <span class="n">SpanKind</span> <span class="o">=</span> <span class="s1">'SPAN_KIND_SERVER'</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">30</span> <span class="k">MINUTE</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">endpoint</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">p99_ms</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <h4> 3. Slowest Database Queries </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Slowest ClickHouse queries in last 1 hour</span> <span class="k">SELECT</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'db.statement'</span><span class="p">]</span> <span class="k">AS</span> <span class="k">sql</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">AS</span> <span class="n">calls</span><span class="p">,</span> <span class="k">avg</span><span class="p">(</span><span class="n">Duration</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">avg_ms</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">Duration</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">max_ms</span><span class="p">,</span> <span class="n">quantile</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">99</span><span class="p">)(</span><span class="n">Duration</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">p99_ms</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_traces</span> <span class="k">WHERE</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'db.system'</span><span class="p">]</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'clickhouse'</span><span class="p">,</span> <span class="s1">'postgresql'</span><span class="p">)</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="mi">1</span> <span class="n">HOUR</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="k">sql</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">p99_ms</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <h4> 4. Log Explorer (Kibana Discover equivalent) </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Live log tail with filtering — wire to Grafana Logs panel</span> <span class="k">SELECT</span> <span class="nb">Timestamp</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">SeverityText</span><span class="p">,</span> <span class="n">Body</span><span class="p">,</span> <span class="n">TraceId</span><span class="p">,</span> <span class="n">LogAttributes</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="err">$</span><span class="n">__timeFrom</span><span class="p">()</span> <span class="c1">-- Grafana time variable</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&lt;=</span> <span class="err">$</span><span class="n">__timeTo</span><span class="p">()</span> <span class="k">AND</span> <span class="n">ServiceName</span> <span class="o">=</span> <span class="s1">'$service'</span> <span class="c1">-- Grafana template variable</span> <span class="k">AND</span> <span class="n">SeverityText</span> <span class="k">IN</span> <span class="p">(</span><span class="err">$</span><span class="n">severity</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">Timestamp</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">1000</span><span class="p">;</span> </code></pre> </div> <h4> 5. Distributed Trace Waterfall </h4> <p>Configure Grafana Explore → Traces with ClickHouse datasource:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Config Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Table</td> <td>otel.otel_traces</td> </tr> <tr> <td>TraceID column</td> <td>TraceId</td> </tr> <tr> <td>SpanID column</td> <td>SpanId</td> </tr> <tr> <td>Parent SpanID</td> <td>ParentSpanId</td> </tr> <tr> <td>Start time</td> <td>Timestamp</td> </tr> <tr> <td>Duration</td> <td>Duration (nanoseconds)</td> </tr> <tr> <td>Service name</td> <td>ServiceName</td> </tr> <tr> <td>Operation name</td> <td>SpanName</td> </tr> </tbody> </table></div> <p>Click any log line with a TraceId → jump directly to full trace waterfall.</p> <h3> Correlating Logs + Traces + Business Data in Grafana </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Grafana panel: "Affected users for errors in selected time range"</span> <span class="c1">-- This is impossible in Kibana — requires joining log data with business data</span> <span class="k">SELECT</span> <span class="n">l</span><span class="p">.</span><span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="k">AS</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">kyc_status</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">AS</span> <span class="n">error_count</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">l</span><span class="p">.</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">last_error</span> <span class="k">FROM</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="n">l</span> <span class="k">JOIN</span> <span class="n">marts</span><span class="p">.</span><span class="n">mart_users</span> <span class="n">u</span> <span class="k">ON</span> <span class="n">l</span><span class="p">.</span><span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="o">=</span> <span class="n">u</span><span class="p">.</span><span class="n">username</span> <span class="k">WHERE</span> <span class="n">l</span><span class="p">.</span><span class="n">ServiceName</span> <span class="o">=</span> <span class="s1">'$service'</span> <span class="k">AND</span> <span class="n">l</span><span class="p">.</span><span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'ERROR'</span> <span class="k">AND</span> <span class="n">l</span><span class="p">.</span><span class="nb">Timestamp</span> <span class="k">BETWEEN</span> <span class="err">$</span><span class="n">__timeFrom</span><span class="p">()</span> <span class="k">AND</span> <span class="err">$</span><span class="n">__timeTo</span><span class="p">()</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">kyc_status</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">error_count</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">50</span><span class="p">;</span> </code></pre> </div> <h3> Grafana Plugin — Upcoming Features </h3> <blockquote> <p>These are confirmed items being prototyped by the ClickHouse Grafana plugin team — not yet shipped. Reference: <a href="https://clickhouse.com/blog/grafana-plugin-vision" rel="noopener noreferrer">Our Vision for the ClickHouse Grafana Plugin</a></p> </blockquote> <p><strong>1. Deployment &amp; K8s Annotation Presets</strong></p> <p>Grafana annotations are vertical markers on time-series panels that flag notable events. The plugin will generate these automatically from OTel data — no manual query writing:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Preset</th> <th>Source</th> <th>What it surfaces</th> </tr> </thead> <tbody> <tr> <td>Deployment detection</td> <td> <code>ResourceAttributes['service.version']</code> change</td> <td>Service version change / rollback markers on dashboards</td> </tr> <tr> <td>K8s lifecycle events</td> <td>OTel resource attributes</td> <td>Pod restarts, OOM kills, autoscaling events</td> </tr> </tbody> </table></div> <p>For a crypto exchange: deploy a new trading-service version → the timestamp appears as a marker on all latency/error dashboards automatically. Immediately answers "did this error spike start at deployment?"</p> <p><strong>2. JWT Per-User Query Identity</strong></p> <p>Currently, all Grafana users share a single ClickHouse datasource credential. The roadmap item forwards each Grafana user's JWT identity to ClickHouse, enabling:</p> <ul> <li> <strong>Row-level access control</strong> based on actual user identity — compliance team sees only compliance-relevant tables, risk team sees risk tables</li> <li> <strong>Per-user audit trail</strong> in ClickHouse query log — every dashboard query is attributed to a named person, not a shared service account</li> <li> <strong>Per-user cost tracking</strong> — token/compute cost per team member</li> </ul> <p>This closes the gap between Kibana's per-user access model and the current Grafana/ClickHouse setup.</p> <p><strong>3. Visual Metrics Builder (OTel Map Column Support)</strong></p> <p>OTel metrics (CPU, memory, network I/O) currently require writing SQL aggregation queries by hand. The upcoming metrics builder provides:</p> <ul> <li>Select metric name from a dropdown (populated from the <code>otel_metrics</code> table)</li> <li>Choose aggregation (sum, avg, max, p99)</li> <li>Add group-by dimensions</li> </ul> <p>The key improvement: OTel uses Map-type columns (<code>ResourceAttributes</code>, <code>LogAttributes</code>) containing key-value pairs. The builder will expose a <strong>key picker</strong> so users can filter on <code>ResourceAttributes['k8s.namespace.name']</code> or <code>ResourceAttributes['host.name']</code> without writing bracket notation. Makes infrastructure metrics explorable without SQL.</p> <p><strong>4. Out-of-the-Box OTel + K8s Dashboards</strong></p> <p>The plugin will ship importable JSON dashboards covering:</p> <ul> <li>Log volume by severity with per-service breakdown</li> <li>Trace duration distribution and service dependency map</li> <li>Per-service RED metrics (request rate, error rate, duration)</li> <li>Top spans visibility</li> <li>Kubernetes observability (namespaces, pods, nodes)</li> </ul> <p>Goal: <strong>from data ingestion to usable dashboards in minutes</strong>, not hours of manual panel building.</p> <p><strong>5. Compact Search-First Mode</strong></p> <p>A new query mode resembling the ClickStack UI — a search bar with filter pills, no SQL required for common tasks:</p> <ul> <li>Click <code>+</code> / <code>-</code> on any field value in a log detail panel to instantly add include/exclude filters</li> <li>Select text within a log body to add a "line contains" full-text filter (backed by <code>hasToken()</code>)</li> <li>Facet autocomplete for column names, operators, and values</li> <li>SQL preview pane shows the generated query live — "Edit as SQL" button opens the editor pre-populated</li> </ul> <p>Aimed at operators and on-call engineers who need to investigate quickly without knowing ClickHouse SQL.</p> <h2> 10. Data Retention &amp; Tiered Storage </h2> <h3> The Cost Driver — Retention × Volume </h3> <p>Elasticsearch cost is roughly: <code>daily_volume_GB × retention_days × cost_per_GB_per_day</code></p> <p>ClickHouse changes the equation at two levels:</p> <ol> <li> <strong>Compression:</strong> 1TB of raw logs → ~200GB in ClickHouse (<strong>5x smaller</strong> end-to-end; 16x on column files — ClickHouse/TextBench)</li> <li> <strong>Tiered storage:</strong> Hot recent data on SSD, cold older data on cheap S3</li> </ol> <h3> TTL — Simple One-Line Retention </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Delete logs older than 90 days — runs automatically in background</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">MODIFY</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span><span class="p">;</span> <span class="c1">-- Different retention per severity</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">MODIFY</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">7</span> <span class="k">DAY</span> <span class="c1">-- default: 7 days</span> <span class="n">OVERRIDE</span> <span class="k">WHERE</span> <span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'ERROR'</span><span class="p">,</span> <span class="c1">-- errors: 90 days</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span> <span class="k">WHERE</span> <span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'ERROR'</span><span class="p">,</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">365</span> <span class="k">DAY</span> <span class="k">WHERE</span> <span class="n">SeverityText</span> <span class="o">=</span> <span class="s1">'CRITICAL'</span><span class="p">;</span> </code></pre> </div> <h3> Tiered Storage — Hot/Cold/Archive </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Storage policy: SSD (0-7 days) → S3 (7-90 days) → delete (90+ days)</span> <span class="c1">-- Define in storage_configuration in config.xml:</span> <span class="c1">-- hot: /var/lib/clickhouse/data (local SSD, fast)</span> <span class="c1">-- cold: s3://clickhouse-cold-tier/ (S3, cheap)</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">otel</span><span class="p">.</span><span class="n">otel_logs</span> <span class="k">MODIFY</span> <span class="n">TTL</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">7</span> <span class="k">DAY</span> <span class="k">TO</span> <span class="n">VOLUME</span> <span class="s1">'cold'</span><span class="p">,</span> <span class="c1">-- move to S3</span> <span class="n">toDateTime</span><span class="p">(</span><span class="nb">Timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="n">INTERVAL</span> <span class="mi">90</span> <span class="k">DAY</span> <span class="k">DELETE</span><span class="p">;</span> <span class="c1">-- delete</span> </code></pre> </div> <h3> Storage Comparison </h3> <p>Real benchmark numbers from ClickHouse/TextBench (identical hardware: AWS m6i.8xlarge, OTEL log data):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dataset</th> <th>Elasticsearch</th> <th>ClickHouse</th> <th>Ratio</th> </tr> </thead> <tbody> <tr> <td>1B rows</td> <td>245 GB</td> <td>49 GB</td> <td><strong>5x smaller</strong></td> </tr> <tr> <td>10B rows</td> <td>~1.2 TB</td> <td>~245 GB</td> <td><strong>5x smaller</strong></td> </tr> <tr> <td>50B rows</td> <td>12 TB</td> <td>2.4 TB</td> <td><strong>5x smaller</strong></td> </tr> <tr> <td>Column file compression</td> <td>—</td> <td><strong>16x</strong></td> <td>—</td> </tr> </tbody> </table></div> <h3> Why Elasticsearch Uses 5x More Storage — Component Breakdown </h3> <p>The 5x gap is not just compression. It comes from four on-disk structures that Elasticsearch maintains but ClickHouse either handles more efficiently or doesn't need at all (at 50B rows):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Storage Component</th> <th>Elasticsearch</th> <th>ClickHouse</th> <th>Why the difference</th> </tr> </thead> <tbody> <tr> <td>Columnar storage (doc_values / column files)</td> <td>5.02 TiB</td> <td>1.92 TiB</td> <td>CH chains codecs per column (Delta+ZSTD, GCD) vs ES generic compression</td> </tr> <tr> <td>Inverted index</td> <td>3.37 TiB</td> <td>515 GiB</td> <td>CH inverted index is designed for analytics granules, not Lucene doc IDs</td> </tr> <tr> <td>Stored fields (<code>_source</code>)</td> <td><strong>3.00 TiB</strong></td> <td><strong>0</strong></td> <td>ES stores original JSON to reconstruct documents; CH reconstructs from columns directly</td> </tr> <tr> <td>Points + norms (BKD trees, relevance scoring)</td> <td><strong>617 GiB</strong></td> <td><strong>0</strong></td> <td>ES maintains numeric range indexes and per-doc relevance weights; CH uses sparse primary index (320 MiB)</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>12.01 TiB</strong></td> <td><strong>2.43 TiB</strong></td> <td><strong>5x smaller</strong></td> </tr> </tbody> </table></div> <p><strong>The two biggest drivers of Elasticsearch's overhead:</strong></p> <ul> <li> <code>_source</code> (3 TiB) — a near-complete second copy of all log data stored as compressed JSON so Elasticsearch can reconstruct the original document on retrieval. ClickHouse has no equivalent because it reconstructs rows directly from individual column files.</li> <li>Points + norms (617 GiB) — BKD-tree numeric range indexes and per-document relevance scoring metadata. Useful for web search ranking; irrelevant for observability queries. ClickHouse's entire sparse primary index for 50B rows is 320 MiB.</li> </ul> <p><strong>Ingestion speed (50B rows):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>System</th> <th>Time</th> </tr> </thead> <tbody> <tr> <td>ClickHouse</td> <td><strong>Under 4 hours</strong></td> </tr> <tr> <td>Elasticsearch</td> <td> <strong>~5 days</strong> (after pipeline tuning)</td> </tr> </tbody> </table></div> <p><strong>Estimated storage at this scale:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Elasticsearch</th> <th>ClickHouse</th> </tr> </thead> <tbody> <tr> <td>90-day retention</td> <td>~9TB on SSD</td> <td>~1.8TB on SSD (or much less on S3)</td> </tr> <tr> <td>1-year retention</td> <td>~36TB</td> <td>~7TB on S3 (cheap)</td> </tr> <tr> <td>Storage cost/year</td> <td>~$100K+</td> <td>~$2-5K</td> </tr> </tbody> </table></div> <h2> 11. AI Layer — Natural Language Over Logs and Traces </h2> <h3> The Unique Advantage </h3> <p>Since ClickHouse already hosts the Agentic AI Platform (LibreChat + Qwen + MCP), observability data in the same cluster is <strong>automatically queryable via plain English</strong>. No additional setup.</p> <h3> Example AI Queries Over Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">User</span><span class="p">:</span> <span class="nv">"Which services had the most errors in the last hour?"</span> <span class="err">→</span> <span class="k">SQL</span><span class="p">:</span> <span class="k">SELECT</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">FROM</span> <span class="n">otel_logs</span> <span class="k">WHERE</span> <span class="n">SeverityText</span><span class="o">=</span><span class="s1">'ERROR'</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">now</span><span class="p">()</span><span class="o">-</span><span class="n">INTERVAL</span> <span class="mi">1</span> <span class="n">HOUR</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">ServiceName</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">count</span><span class="p">()</span> <span class="k">DESC</span> <span class="k">User</span><span class="p">:</span> <span class="nv">"Show me all traces where ClickHouse queries took more than 500ms today"</span> <span class="err">→</span> <span class="k">SQL</span><span class="p">:</span> <span class="k">SELECT</span> <span class="n">TraceId</span><span class="p">,</span> <span class="n">ServiceName</span><span class="p">,</span> <span class="n">Duration</span><span class="o">/</span><span class="mi">1</span><span class="n">e6</span> <span class="k">AS</span> <span class="n">ms</span><span class="p">,</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'db.statement'</span><span class="p">]</span> <span class="k">AS</span> <span class="k">sql</span> <span class="k">FROM</span> <span class="n">otel_traces</span> <span class="k">WHERE</span> <span class="n">SpanAttributes</span><span class="p">[</span><span class="s1">'db.system'</span><span class="p">]</span><span class="o">=</span><span class="s1">'clickhouse'</span> <span class="k">AND</span> <span class="n">Duration</span> <span class="o">&gt;</span> <span class="mi">500000000</span> <span class="k">AND</span> <span class="nb">Timestamp</span> <span class="o">&gt;=</span> <span class="n">today</span><span class="p">()</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">Duration</span> <span class="k">DESC</span> <span class="k">User</span><span class="p">:</span> <span class="nv">"Which users were affected by the trading-service errors between 2pm and 3pm today?"</span> <span class="err">→</span> <span class="k">SQL</span><span class="p">:</span> <span class="k">SELECT</span> <span class="n">l</span><span class="p">.</span><span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">],</span> <span class="n">u</span><span class="p">.</span><span class="n">kyc_status</span><span class="p">,</span> <span class="k">count</span><span class="p">()</span> <span class="k">as</span> <span class="n">errors</span> <span class="k">FROM</span> <span class="n">otel_logs</span> <span class="n">l</span> <span class="k">JOIN</span> <span class="n">mart_users</span> <span class="n">u</span> <span class="k">ON</span> <span class="n">l</span><span class="p">.</span><span class="n">LogAttributes</span><span class="p">[</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="o">=</span> <span class="n">u</span><span class="p">.</span><span class="n">username</span> <span class="k">WHERE</span> <span class="n">l</span><span class="p">.</span><span class="n">ServiceName</span><span class="o">=</span><span class="s1">'trading-service'</span> <span class="k">AND</span> <span class="n">l</span><span class="p">.</span><span class="n">SeverityText</span><span class="o">=</span><span class="s1">'ERROR'</span> <span class="k">AND</span> <span class="n">l</span><span class="p">.</span><span class="nb">Timestamp</span> <span class="k">BETWEEN</span> <span class="n">today</span><span class="p">()</span><span class="o">+</span><span class="n">toIntervalHour</span><span class="p">(</span><span class="mi">14</span><span class="p">)</span> <span class="k">AND</span> <span class="n">today</span><span class="p">()</span><span class="o">+</span><span class="n">toIntervalHour</span><span class="p">(</span><span class="mi">15</span><span class="p">)</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span><span class="mi">2</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">errors</span> <span class="k">DESC</span> </code></pre> </div> <p>The last query is <strong>impossible in Kibana</strong> — it crosses observability data (logs) with business data (users). In ClickHouse, it's one SQL query the AI generates automatically.</p> <h3> Business Glossary Additions for Observability </h3> <p>Add to <code>business_glossary.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Observability terms</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">error</span><span class="nv"> </span><span class="s">logs"</span> <span class="s">= otel_logs WHERE SeverityText = 'ERROR'</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">slow</span><span class="nv"> </span><span class="s">query"</span> <span class="s">= otel_traces WHERE SpanAttributes['db.system'] IN ('clickhouse','postgresql') AND Duration &gt; </span><span class="m">500000000</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">HTTP</span><span class="nv"> </span><span class="s">5xx"</span> <span class="s">= otel_logs WHERE LogAttributes['http.status_code'] LIKE '5%'</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">trade</span><span class="nv"> </span><span class="s">service"</span> <span class="s">= ServiceName = 'trading-service'</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">trace"</span> <span class="s">= otel_traces WHERE TraceId = '&lt;id&gt;'</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">latency"</span> <span class="s">= Duration / 1e6 (milliseconds)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">p99"</span> <span class="s">= quantile(0.99)(Duration) / 1e6</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">error</span><span class="nv"> </span><span class="s">rate"</span> <span class="s">= countIf(SeverityText='ERROR') / count() * </span><span class="m">100</span> </code></pre> </div> <h2> 12. Migration Plan — Zero Downtime Cutover </h2> <h3> Option A — Standard OTEL Collector (Recommended for Simple Setups) </h3> <p>If you run a small number of centralized OTEL Collectors (one per environment), the standard approach is sufficient — edit the collector config YAML to add the ClickHouse exporter alongside the existing Elasticsearch exporter for dual-write. No extra tooling needed.</p> <h3> Option B — BindPlane (Recommended for Large Collector Fleets) </h3> <p>If you run OTEL Collectors on many individual servers/services, <strong>BindPlane</strong> is worth considering. It is a centralized management platform for OTEL Collector fleets — instead of editing YAML configs on each server manually, you manage all collector configurations from one dashboard.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Without BindPlane</span><span class="pi">:</span> <span class="s">Edit otel-collector.yaml on server </span><span class="m">1</span> <span class="s">Edit otel-collector.yaml on server </span><span class="m">2</span> <span class="s">Edit otel-collector.yaml on server N</span> <span class="s">Restart each collector</span> <span class="s">...</span> <span class="na">With BindPlane</span><span class="pi">:</span> <span class="s">Add ClickHouse destination once in BindPlane UI</span> <span class="s">Roll out to entire fleet in one click</span> </code></pre> </div> <p><strong>What BindPlane adds for this migration:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Capability</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Central config management</td> <td>One change pushes to all collectors instantly</td> </tr> <tr> <td>Dual-write in one click</td> <td>Route to Elasticsearch AND ClickHouse simultaneously without touching individual collectors</td> </tr> <tr> <td>Service-by-service cutover</td> <td>Route <code>trading-service</code> logs to ClickHouse first, validate, then add more services gradually</td> </tr> <tr> <td>Severity-based routing</td> <td>Route ERROR logs to Elasticsearch (keep during validation), INFO/DEBUG to ClickHouse only</td> </tr> <tr> <td>Safe fleet rollout</td> <td>Progressive rollout with automatic rollback on failure</td> </tr> <tr> <td>130+ sources and destinations</td> <td>Supports standard OTEL ClickHouse exporter as destination</td> </tr> </tbody> </table></div> <p><strong>BindPlane for self-managed ClickHouse:</strong></p> <p>BindPlane's native "ClickStack destination" connects to ClickHouse Cloud managed product. For self-managed ClickHouse, use the standard OTEL <code>clickhouseexporter</code> as a generic OTLP destination in BindPlane — same outcome, slightly more manual config. Example BindPlane destination config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># BindPlane destination config for self-managed ClickHouse</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">otlp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">clickhouse-self-managed</span> <span class="na">config</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">tcp://clickhouse.internal:9000</span> <span class="na">headers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">x-clickhouse-database</span> <span class="na">value</span><span class="pi">:</span> <span class="s">otel</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p><strong>Reference:</strong> <a href="https://clickhouse.com/blog/bindplane-faster-otel-migrations-to-clickstack" rel="noopener noreferrer">https://clickhouse.com/blog/bindplane-faster-otel-migrations-to-clickstack</a></p> <h3> Phase 1 — Deploy &amp; Validate (Week 1-2) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Deploy ClickHouse schema</td> <td>Create otel_logs, otel_traces, otel_metrics tables</td> </tr> <tr> <td>Add ClickHouse exporter to OTEL Collector</td> <td>Dual-write: send to both Elasticsearch AND ClickHouse (via YAML edit or BindPlane)</td> </tr> <tr> <td>Set up Grafana</td> <td>Install ClickHouse datasource, build core dashboards</td> </tr> <tr> <td>Validate data parity</td> <td>Compare row counts, spot-check log content</td> </tr> <tr> <td>Test trace waterfall</td> <td>Pick 5-10 real TraceIds, verify waterfall in Grafana matches Kibana</td> </tr> </tbody> </table></div> <h3> Phase 2 — Parallel Run (Week 3-4) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Run both stacks simultaneously</td> <td>Elasticsearch + ClickHouse receive same data</td> </tr> <tr> <td>Migrate dashboards</td> <td>Rebuild all Kibana dashboards in Grafana</td> </tr> <tr> <td>Migrate alerts</td> <td>Recreate all Kibana alerts in Grafana Alerting</td> </tr> <tr> <td>Train teams</td> <td>Grafana walkthrough for each team</td> </tr> <tr> <td>Build AI log queries</td> <td>Add observability terms to business glossary</td> </tr> <tr> <td>Gradual service cutover (optional)</td> <td>Use BindPlane to route one service at a time to ClickHouse-only, validate, expand</td> </tr> </tbody> </table></div> <h3> Phase 3 — Cutover (Week 5) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Confirm all dashboards working in Grafana</td> <td>Sign-off from each team</td> </tr> <tr> <td>Remove Elasticsearch exporter from OTEL Collector</td> <td>Single line config change (or one click in BindPlane)</td> </tr> <tr> <td>Verify ClickHouse-only flow</td> <td>24-hour monitoring window</td> </tr> <tr> <td>Cancel Elasticsearch subscription</td> <td>After 48-hour clean run</td> </tr> </tbody> </table></div> <h3> Phase 4 — Optimise (Week 6+) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Tune TTL and tiered storage</td> <td>Configure S3 cold tier based on actual usage patterns</td> </tr> <tr> <td>Enable AI log queries in LibreChat</td> <td>Add observability glossary, test with teams</td> </tr> <tr> <td>Set up cross-data dashboards</td> <td>Logs + business data correlation panels in Grafana</td> </tr> <tr> <td>Performance tuning</td> <td>Review slow queries via system.query_log, tune ORDER BY keys if needed</td> </tr> </tbody> </table></div> <h3> Risk Mitigation During Migration </h3> <ul> <li> <strong>Dual-write period:</strong> Both systems receive data simultaneously for 4 weeks — no data loss risk</li> <li> <strong>Rollback:</strong> Removing ClickHouse exporter (or reverting BindPlane config) restores Elasticsearch-only in seconds</li> <li> <strong>No application changes:</strong> OTEL SDK configuration is unchanged throughout</li> <li> <strong>Gradual cutover:</strong> Cut over one service at a time using BindPlane routing rules if preferred</li> </ul> <h2> 13. Cost Analysis </h2> <h3> Current Elasticsearch Cost Breakdown </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Annual Cost</th> </tr> </thead> <tbody> <tr> <td>Elasticsearch managed service (compute)</td> <td>~$200K</td> </tr> <tr> <td>Storage (SSD, replicated)</td> <td>~$100K</td> </tr> <tr> <td>Licensing (Elastic managed / premium)</td> <td>~$50K</td> </tr> <tr> <td>Engineering time (ops, tuning, ILM)</td> <td>~$50K</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$400K</strong></td> </tr> </tbody> </table></div> <h3> ClickHouse Cost (Self-Hosted) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Annual Cost</th> </tr> </thead> <tbody> <tr> <td>ClickHouse nodes (2x m7g.4xlarge, Graviton3)</td> <td>~$18K</td> </tr> <tr> <td>Storage SSD (hot, last 7 days)</td> <td>~$3K</td> </tr> <tr> <td>S3 (cold, 7-90 days)</td> <td>~$2K</td> </tr> <tr> <td>ClickHouse Keeper (3x t3.small for consensus)</td> <td>~$2K</td> </tr> <tr> <td>Engineering time (minimal ops)</td> <td>~$10K</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$35K</strong></td> </tr> </tbody> </table></div> <h3> ClickHouse Cost (ClickHouse Cloud — Recommended Start) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Annual Cost</th> </tr> </thead> <tbody> <tr> <td>ClickHouse Cloud (auto-scaling)</td> <td>~$36-60K</td> </tr> <tr> <td>S3 tiered storage</td> <td>Included</td> </tr> <tr> <td>Engineering time</td> <td>~$5K (fully managed)</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$41-65K</strong></td> </tr> </tbody> </table></div> <h3> Savings Summary </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Annual Cost</th> <th>Saving vs Elasticsearch</th> </tr> </thead> <tbody> <tr> <td>Current (Elasticsearch)</td> <td>$400K</td> <td>—</td> </tr> <tr> <td>ClickHouse Cloud</td> <td>$41-65K</td> <td><strong>$335-359K saved (84-90%)</strong></td> </tr> <tr> <td>ClickHouse Self-Hosted</td> <td>$35K</td> <td><strong>$365K saved (91%)</strong></td> </tr> </tbody> </table></div> <h3> Additional Value (Not Counted in Savings) </h3> <ul> <li>AI queries over logs — eliminates ad-hoc log digging by engineering (~20 hrs/month)</li> <li>Cross-data correlation — compliance/risk can correlate errors with affected users instantly</li> <li>Longer retention — at ClickHouse costs, retain 1 year vs 90 days for same budget</li> <li>Unified cluster — observability + business data in one system, one operations team</li> </ul> <h2> 14. Risk Assessment </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Risk</th> <th>Likelihood</th> <th>Impact</th> <th>Mitigation</th> </tr> </thead> <tbody> <tr> <td>Full-text search gaps</td> <td>Low</td> <td>Low</td> <td>95% of queries are structured; bloom filters cover keyword search</td> </tr> <tr> <td>Data loss during migration</td> <td>Very Low</td> <td>High</td> <td>4-week dual-write window eliminates risk</td> </tr> <tr> <td>Grafana learning curve</td> <td>Medium</td> <td>Low</td> <td>Grafana is widely used; team familiarity is high</td> </tr> <tr> <td>ClickHouse cluster instability</td> <td>Low</td> <td>High</td> <td>2-replica HA, Keeper for consensus, daily S3 backups</td> </tr> <tr> <td>OTEL Collector overload</td> <td>Low</td> <td>Medium</td> <td>Batch processor + memory limiter configured; scale collector horizontally</td> </tr> <tr> <td>Schema changes in new service</td> <td>Low</td> <td>Low</td> <td>MergeTree handles new columns gracefully; OTEL schema is stable</td> </tr> <tr> <td>Cold data access latency (S3)</td> <td>Medium</td> <td>Low</td> <td>S3 queries are slower but acceptable for historical lookups</td> </tr> </tbody> </table></div> <h2> 15. Success Metrics </h2> <h3> 30-Day Targets (Post Cutover) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Target</th> </tr> </thead> <tbody> <tr> <td>All dashboards migrated to Grafana</td> <td>100%</td> </tr> <tr> <td>Elasticsearch subscription cancelled</td> <td>Done</td> </tr> <tr> <td>Log query latency (aggregation)</td> <td>&lt; 500ms for last 24h queries</td> </tr> <tr> <td>Trace lookup latency</td> <td>&lt; 2 seconds for TraceId lookup</td> </tr> <tr> <td>Data compression vs Elasticsearch</td> <td>&gt; 5x smaller footprint</td> </tr> <tr> <td>Alert parity</td> <td>All Kibana alerts recreated in Grafana</td> </tr> </tbody> </table></div> <h3> 90-Day Targets </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Target</th> </tr> </thead> <tbody> <tr> <td>Annual cost reduction</td> <td>&gt; $300K vs Elasticsearch baseline</td> </tr> <tr> <td>AI log queries active</td> <td>Teams using LibreChat for log analysis</td> </tr> <tr> <td>Cross-data queries</td> <td>At least 5 dashboards joining logs + business data</td> </tr> <tr> <td>Retention extended</td> <td>From 90 days to 180+ days (same cost)</td> </tr> <tr> <td>Engineering time saved</td> <td>20+ hrs/month (no more ad-hoc log queries)</td> </tr> </tbody> </table></div> <h2> 16. Reference Links </h2> <h3> ClickHouse Observability </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>ClickHouse Observability docs</td> <td><a href="https://clickhouse.com/docs/use-cases/observability" rel="noopener noreferrer">https://clickhouse.com/docs/use-cases/observability</a></td> </tr> <tr> <td>Observability solution guide</td> <td><a href="https://clickhouse.com/docs/use-cases/observability/overview" rel="noopener noreferrer">https://clickhouse.com/docs/use-cases/observability/overview</a></td> </tr> <tr> <td>ClickHouse as Elasticsearch alternative</td> <td><a href="https://clickhouse.com/blog/elasticsearch-to-clickhouse-for-logs" rel="noopener noreferrer">https://clickhouse.com/blog/elasticsearch-to-clickhouse-for-logs</a></td> </tr> <tr> <td>Building an Observability solution with ClickHouse</td> <td><a href="https://clickhouse.com/blog/storing-log-data-in-clickhouse-fluent-bit-vector-open-telemetry" rel="noopener noreferrer">https://clickhouse.com/blog/storing-log-data-in-clickhouse-fluent-bit-vector-open-telemetry</a></td> </tr> <tr> <td>ClickHouse for logs blog</td> <td><a href="https://clickhouse.com/blog/using-clickhouse-for-log-analytics" rel="noopener noreferrer">https://clickhouse.com/blog/using-clickhouse-for-log-analytics</a></td> </tr> </tbody> </table></div> <h3> OpenTelemetry + ClickHouse </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>OTEL Collector ClickHouse exporter</td> <td><a href="https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/clickhouseexporter" rel="noopener noreferrer">https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/clickhouseexporter</a></td> </tr> <tr> <td>OTEL Collector contrib repo</td> <td><a href="https://github.com/open-telemetry/opentelemetry-collector-contrib" rel="noopener noreferrer">https://github.com/open-telemetry/opentelemetry-collector-contrib</a></td> </tr> <tr> <td>OTEL ClickHouse schema reference</td> <td><a href="https://clickhouse.com/docs/use-cases/observability/schema-design" rel="noopener noreferrer">https://clickhouse.com/docs/use-cases/observability/schema-design</a></td> </tr> </tbody> </table></div> <h3> Grafana + ClickHouse </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>Grafana ClickHouse datasource</td> <td><a href="https://grafana.com/grafana/plugins/grafana-clickhouse-datasource" rel="noopener noreferrer">https://grafana.com/grafana/plugins/grafana-clickhouse-datasource</a></td> </tr> <tr> <td>Grafana ClickHouse plugin docs</td> <td><a href="https://grafana.com/docs/grafana/latest/datasources/clickhouse" rel="noopener noreferrer">https://grafana.com/docs/grafana/latest/datasources/clickhouse</a></td> </tr> </tbody> </table></div> <h3> Benchmarks &amp; Case Studies </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>Cloudflare: ClickHouse for HTTP logs</td> <td><a href="https://blog.cloudflare.com/log-analytics-using-clickhouse" rel="noopener noreferrer">https://blog.cloudflare.com/log-analytics-using-clickhouse</a></td> </tr> <tr> <td>ClickHouse vs Elasticsearch log analytics benchmark</td> <td><a href="https://clickhouse.com/blog/elasticsearch-log-analytics-clickhouse" rel="noopener noreferrer">https://clickhouse.com/blog/elasticsearch-log-analytics-clickhouse</a></td> </tr> <tr> <td>Benchmark source code (reproducible)</td> <td><a href="https://github.com/ClickHouse/TextBench" rel="noopener noreferrer">https://github.com/ClickHouse/TextBench</a></td> </tr> <tr> <td>BindPlane — OTEL fleet management for migrations</td> <td><a href="https://clickhouse.com/blog/bindplane-faster-otel-migrations-to-clickstack" rel="noopener noreferrer">https://clickhouse.com/blog/bindplane-faster-otel-migrations-to-clickstack</a></td> </tr> <tr> <td>Langfuse + ClickHouse (LLM observability)</td> <td><a href="https://clickhouse.com/blog/langfuse-llm-analytics" rel="noopener noreferrer">https://clickhouse.com/blog/langfuse-llm-analytics</a></td> </tr> </tbody> </table></div> <h3> Appendix A — Technology Stack Summary </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Technology</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Instrumentation</td> <td>OTEL SDK (unchanged)</td> <td>Auto-instrument apps — zero code changes</td> </tr> <tr> <td>Collection</td> <td>OTEL Collector + clickhouseexporter</td> <td>Receives and ships logs/traces/metrics to ClickHouse</td> </tr> <tr> <td>Storage</td> <td>ClickHouse otel database</td> <td>Logs, traces, metrics — compressed columnar storage</td> </tr> <tr> <td>Visualization</td> <td>Grafana + ClickHouse datasource</td> <td>Dashboards, trace waterfall, log explorer, alerting</td> </tr> <tr> <td>AI queries</td> <td>LibreChat + Qwen + MCP (existing)</td> <td>Plain English queries over logs and traces</td> </tr> <tr> <td>Cold storage</td> <td>S3 (tiered via ClickHouse TTL)</td> <td>Cheap long-term retention for historical data</td> </tr> <tr> <td>HA</td> <td>ClickHouse 2-replica cluster</td> <td>Same HA setup as the existing ClickHouse cluster</td> </tr> </tbody> </table></div> <h3> Appendix B — Quick Reference: Kibana → Grafana Equivalents </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Kibana Feature</th> <th>Grafana Equivalent</th> </tr> </thead> <tbody> <tr> <td>Discover (log search)</td> <td>Explore → Logs panel with ClickHouse query</td> </tr> <tr> <td>Dashboard</td> <td>Dashboard (same concept)</td> </tr> <tr> <td>Visualize</td> <td>Panel with ClickHouse SQL query</td> </tr> <tr> <td>APM (traces)</td> <td>Explore → Traces panel with ClickHouse datasource</td> </tr> <tr> <td>Alerts</td> <td>Grafana Alerting (same or better)</td> </tr> <tr> <td>Index Lifecycle Management</td> <td>ClickHouse TTL (simpler — one SQL line)</td> </tr> <tr> <td>KQL (Kibana Query Language)</td> <td>SQL (standard, more powerful)</td> </tr> <tr> <td>Lens (drag-drop charts)</td> <td>Grafana panel builder</td> </tr> </tbody> </table></div> <h2> Closing thoughts </h2> <p>If you're considering this migration, the decisions that matter most:</p> <ol> <li> <strong>Don't skip the OTEL Aggregator pattern.</strong> Agent-only loses data on ClickHouse blips. Run a couple of central aggregators with retry-on-failure — that's the production-grade choice.</li> <li> <strong>Use BindPlane if you have a large collector fleet.</strong> Worth it for fleet-wide config rollout. For a handful of central collectors, standard YAML is fine.</li> <li> <strong>Get the schema right the first time.</strong> <code>ORDER BY (ServiceName, SeverityText, Timestamp)</code> and the right CODECs are the difference between a 3× and 30× compression ratio. The schema in Section 6 has been validated at production scale.</li> <li> <strong>Run dual-write for 4 weeks</strong>, not 1. The gradual cutover is cheap insurance and lets you validate every dashboard/alert before cutting Elasticsearch off.</li> <li> <strong>The AI layer pays for itself.</strong> Plain-English log queries via LibreChat + an LLM means no more pinging engineering when the compliance team needs a one-off analysis. Once ClickHouse has the data, the AI integration is one config change.</li> </ol> <p>The full schema, OTEL Collector configs, Grafana queries, migration plan, and 16 production-tested recovery runbooks live in the <a href="https://github.com/rakeshtherani/clickhouse-ai-dba" rel="noopener noreferrer">companion repo on GitHub</a>. The repo also includes the AI DBA MCP server (152 tools for ClickHouse operations) — if you're operating at scale, that's worth a look.</p> <p>If you've migrated off Elasticsearch (or are mid-migration), I'd love to compare notes. Reach out via <a href="https://www.linkedin.com/" rel="noopener noreferrer">LinkedIn</a> or comment below.</p> <p>If this is useful to your team, the deeper architectural piece — <em>Building an Agentic AI Data Platform on ClickHouse</em> — is coming next.</p> database infrastructure monitoring performance