Every observability pipeline begins with a decision that shapes its entire feedback loop: how does information travel from the system to the engineer? Push-based alerting sends signals when thresholds are crossed; pull-based discovery fetches metrics on demand or on a schedule. The tension between these two modes is not a bug—it is the engine that drives effective monitoring. This guide walks through the workflow of choosing, combining, and tuning push and pull strategies so your team can detect incidents faster without drowning in noise.
Who Needs This and What Goes Wrong Without It
Anyone responsible for keeping a production system observable—site reliability engineers, platform teams, DevOps practitioners—faces this tension daily. Without a deliberate approach, teams fall into one of two traps. The first is alert fatigue: push everything, and every minor threshold violation becomes a page, desensitizing the team. The second is discovery blindness: pull only what you think to ask for, and silent failures—like a gradual memory leak or a degraded but not-yet-failing dependency—escape notice until a user complains.
Consider a typical microservices deployment. Each service emits metrics, logs, and traces. A push-based alert on CPU usage might fire when a container spikes, but if the alert threshold is too tight, it pages the on-call engineer for a burst that resolves itself. Meanwhile, a pull-based dashboard that refreshes every 60 seconds might miss a transient error that causes a payment failure for a subset of users. Without a balanced loop, the team either chases ghosts or misses real incidents.
The core problem is that push and pull serve different phases of the incident lifecycle. Push excels at immediate notification—when a service is down, you want it to shout. Pull excels at investigation and trend analysis—when you suspect something is off, you want to query historical data. Teams that treat one as a replacement for the other end up with either a noisy pager or a blind spot. The goal is to design a feedback loop that uses push for urgent signals and pull for context, so each mode amplifies the other.
What Happens When Push Dominates
An over-pushed environment generates hundreds of alerts per day. Engineers start ignoring non-critical notifications, and genuine emergencies get buried. The mean time to acknowledge (MTTA) increases because every alert looks like noise. Worse, the team spends more time tuning alert rules than understanding their system.
What Happens When Pull Dominates
A pull-heavy approach relies on engineers remembering to check dashboards. During an incident, the first step is to open a query interface and figure out what to ask. This delays detection and often misses issues that happen outside business hours. The feedback loop becomes reactive rather than proactive.
Prerequisites and Context Readers Should Settle First
Before diving into the workflow, you need a clear picture of your system's architecture and your team's capacity. Start by mapping your services, dependencies, and critical user journeys. Which components are stateless versus stateful? Which dependencies are external (third-party APIs, databases) versus internal? This map determines what you can push alerts on and what you can pull metrics from.
Next, define your service level objectives (SLOs). Without SLOs, every metric seems equally important. SLOs give you a basis for deciding what warrants a push alert (an SLO burn rate exceeding a threshold) versus what is informational (a slow query that hasn't yet impacted users). Teams often skip this step and end up with alerts that lack business context.
You also need a monitoring infrastructure that supports both push and pull. Most modern observability platforms (Prometheus, Datadog, Grafana, New Relic) offer both modes, but they have different strengths. Prometheus, for example, is fundamentally pull-based but can accept push via the Pushgateway for short-lived jobs. Understanding your tool's native mode helps you avoid fighting its design.
Finally, agree on incident severity levels. A push alert should map to a severity that triggers a specific response—page the on-call engineer for critical, send a Slack message for warning, log for info. Pull-based discovery feeds dashboards and reports that inform daily stand-ups and postmortems. Without this mapping, push alerts become too broad, and pull data becomes too scattered.
Establishing a Baseline
Before tuning alerts, collect a week of baseline metrics for each service. What is the normal CPU range? How many requests per minute are typical? What is the p99 latency? This baseline helps you set meaningful thresholds and distinguish anomalies from expected variation.
Core Workflow: Sequential Steps to Design Your Feedback Loop
Designing a push-pull feedback loop is a iterative process. Follow these steps to build a system that balances immediate notification with deep discovery.
Step 1: Identify critical signals. For each service, list the metrics that directly indicate a user-facing problem: error rate, latency, throughput, saturation (the USE method). These are candidates for push alerts. Also list metrics that indicate gradual degradation: memory usage trend, disk I/O wait, GC pause time. These are candidates for pull-based dashboards.
Step 2: Set push thresholds using SLO burn rate. Instead of static thresholds (CPU > 80%), use burn rate alerts. For example, if your SLO is 99.9% uptime over 30 days, alert when the error budget burns at a rate that would exhaust it in less than 6 hours. This approach reduces noise because it only fires when the SLO is truly at risk.
Step 3: Design pull-based discovery dashboards. Create dashboards that surface the metrics you identified as gradual indicators. Use time-series graphs with trend lines and anomaly detection. Set up scheduled reports (daily or weekly) that email the team a summary of changes. This pull layer ensures that slow drifts are noticed before they become emergencies.
Step 4: Implement a feedback loop from pull to push. When a pull-based discovery reveals a concerning trend (e.g., memory growing 2% per day), create a temporary push alert that pages if the trend accelerates. This turns a slow discovery into an active monitor. Conversely, when a push alert fires, the first action should be to open the pull-based dashboard for that service to get context.
Step 5: Review and tune weekly. In your team's weekly review, examine which push alerts fired and whether they were actionable. Also review pull-based dashboards for any patterns that were missed. Adjust thresholds, add new metrics, and retire stale alerts.
Automating the Loop
Where possible, automate the transition from pull to push. For example, if a dashboard panel shows a metric crossing a dynamic threshold (based on moving average), automatically create a temporary alert rule. Some platforms like Grafana allow alerting from dashboard panels, bridging the gap.
Tools, Setup, and Environment Realities
Your choice of observability platform shapes how you implement push and pull. Here are common setups and their trade-offs.
Prometheus + Alertmanager: Prometheus is pull-based by design—it scrapes targets at intervals. For push, you use the Pushgateway for batch jobs or short-lived processes. Alertmanager handles routing, silencing, and grouping. This combination works well for dynamic environments (Kubernetes) where service discovery is automated. The downside: Prometheus does not natively support alerting on historical trends without additional tooling (like Thanos or Cortex).
Datadog / New Relic: These SaaS platforms are primarily push-based—agents send metrics to the backend. They offer rich anomaly detection and machine learning-based alerting. Pull discovery happens through their query interfaces and dashboards. The advantage is ease of setup; the disadvantage is cost at scale and vendor lock-in. Teams often over-push because the default configuration alerts on many metrics.
Grafana + Loki + Tempo: This stack separates storage (Loki for logs, Tempo for traces) from visualization. Grafana can pull data from multiple sources and also push alerts via Grafana Alerting. The flexibility allows you to mix push and pull per data source. However, it requires more operational overhead to maintain the infrastructure.
OpenTelemetry Collector: This vendor-agnostic agent can both push and pull. It receives telemetry from applications and can export to multiple backends. You can configure it to push certain metrics to an alerting system while pulling others for local dashboards. This is ideal for multi-cloud or hybrid environments.
Environment Considerations
In Kubernetes, service discovery is dynamic. Pull-based scraping works well because Prometheus can discover new pods automatically. Push-based alerts need to be careful not to page for transient pod restarts. In serverless environments (AWS Lambda), push is often the only option because functions are ephemeral and cannot be scraped. Use a middleware like CloudWatch Logs to extract metrics and push them to an alerting pipeline.
Variations for Different Constraints
Not every team has the same resources or requirements. Here are variations of the push-pull balance for common constraints.
Small team with limited on-call rotation: Prioritize push alerts for only the most critical SLOs (error budget burn rate). Use pull-based dashboards for everything else. Set up a daily automated report that summarizes changes. This reduces pager fatigue while still catching slow drifts during business hours.
High-scale system with thousands of services: Implement tiered alerting. Tier 1 (push) covers platform-level metrics (API gateway errors, database connection pool exhaustion). Tier 2 (pull) covers per-service metrics with automated anomaly detection that escalates to a push alert if the anomaly persists for more than 10 minutes. Use a service catalog to map ownership so alerts reach the right team.
Compliance-heavy environment (finance, healthcare): Push alerts must be logged and auditable. Use pull-based discovery for trend analysis that feeds compliance reports. Ensure that pull queries are recorded as well. Some regulations require that all monitoring data be retained; pull-based storage can be expensive, so prioritize retention policies.
Startup with rapid feature development: Accept more noise in push alerts initially, but invest in a structured on-call process. Use pull-based dashboards to track deployment health. As the system stabilizes, gradually tighten push thresholds. The key is to avoid over-engineering the alerting before you understand your failure modes.
When to Favor Push
Push is best for: immediate notification of service outages, security incidents, and SLO burn rate violations. It is also necessary for ephemeral workloads (batch jobs, Lambda functions) that cannot be scraped.
When to Favor Pull
Pull is best for: trend analysis, capacity planning, postmortem investigation, and metrics that change slowly (disk usage, memory growth). It also works well for environments where you want to control the scraping schedule to avoid overloading the target.
Pitfalls, Debugging, and What to Check When It Fails
Even with a thoughtful design, the push-pull loop can break. Here are common failure modes and how to fix them.
Alert fatigue despite SLO-based thresholds: Check if your SLOs are too tight. A 99.99% SLO for a non-critical service generates more alerts than a 99.9% SLO. Also review alert grouping—Alertmanager can group similar alerts into a single notification. If alerts still flood, consider using a longer evaluation window (e.g., 5 minutes instead of 1).
Missed incidents because pull discovery is too slow: Increase the refresh rate of critical dashboards, or add anomaly detection that triggers a push alert when a metric deviates from its baseline. For example, if p99 latency suddenly jumps 2x, that should be a push alert even if the absolute value is below your static threshold.
Push alerts that fire but have no context: Ensure every push alert includes a link to the relevant dashboard and a runbook. Without context, the on-call engineer wastes time figuring out what to check. Automatically attach a graph of the metric in the notification.
Pull-based data that is stale or missing: Check that your scrape targets are reachable and that the metrics endpoint is healthy. In Kubernetes, a pod might be restarting before Prometheus scrapes it. Use a blackbox exporter to probe endpoints and alert if they are unreachable.
Conflict between push and pull for the same metric: If you have both a push alert and a pull-based dashboard for the same metric, ensure they use the same data source and aggregation. Otherwise, the dashboard might show a normal value while the alert fires (or vice versa). Standardize on a single source of truth.
Debugging Checklist
When an incident slips through: (1) Did a push alert fire but was ignored? Check notification routing and silencing rules. (2) Did a pull-based dashboard show the issue but no one saw it? Review dashboard visibility and scheduled reports. (3) Was the metric not collected at all? Verify instrumentation and agent health.
FAQ: Common Questions About Push vs. Pull in Observability
Can I use only push or only pull? Technically yes, but it is not recommended. Pure push systems miss the context needed for investigation, and pure pull systems miss immediate alerts. The best approach is hybrid.
How do I decide which metrics to push? Use the rule of thumb: if a metric crossing a threshold requires immediate action (within minutes), push it. If it informs a decision over hours or days, pull it.
What about logs and traces—are they push or pull? Logs are typically pushed (agents send to a central collector), while traces are often pulled via sampling. But the same tension applies: you can set alerts on log patterns (push) or query traces for debugging (pull).
How often should I review my alert rules? At least once per sprint or monthly. As your system evolves, thresholds become outdated. Automate the review with a tool that tracks alert firing frequency and false positive rate.
What is the biggest mistake teams make? Treating push and pull as separate concerns rather than two parts of a single feedback loop. They set up alerts in isolation from dashboards, and dashboards without alerting. The result is a fragmented view of system health.
What to Do Next: Specific Actions for Your Team
Start with a one-hour workshop to map your current push and pull setup. List every alert rule and every dashboard. Label each as critical, useful, or noise. Eliminate noise alerts and consolidate dashboards that show the same data.
Next, define your SLOs for the top three user journeys. Implement burn rate alerts for those SLOs and set up pull-based dashboards for the underlying metrics. Run this setup for two weeks, then review the alert volume and dashboard usage.
Finally, create a feedback loop review as a recurring agenda item in your team's weekly meeting. Discuss which alerts fired, which were useful, and what pull-based discoveries led to changes. Over time, this practice will refine your observability loop until push and pull work in harmony, not tension.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!