A hands-on workshop demonstrating how OpenTelemetry eBPF Instrumentation (OBI) adds full distributed tracing to applications without changing a single line of code.
This workshop evolves from a single Python process on a bare Linux host, through a polyglot Docker microservices architecture, to an optional Kubernetes deployment -- all instrumented by OBI from the kernel, with telemetry flowing to Splunk Observability Cloud.
| Phase | Directory | What You Do |
|---|---|---|
| Phase 0 -- Warm-up | 01-obi-python/ |
Run a Python Flask app on the host. Send a heartbeat metric to Splunk. Download and run the OBI binary to instrument the process from the kernel. |
| Phase 1 -- Before OBI | 02-obi-docker/ |
Deploy 3 microservices (Node.js + Go + Go) with Docker Compose. See infrastructure metrics in Splunk but zero traces in APM. |
| Phase 2 -- The Magic | 02-obi-docker/ |
Add one OBI container to the compose file. Full distributed traces appear in Splunk APM across all three services. No code changes. |
| Phase 3 -- Kubernetes (Optional) | 03-obi-k8s/ |
Deploy the same services to K8s. Add an OBI DaemonSet. Same zero-code tracing, enterprise-grade orchestration. |
Phase 0: Python (:5150) ──── instrumented by OBI binary on host
Phase 1: Frontend (Node.js :3000) → Order-Processor (Go :8080) → Payment-Service (Go :8081)
↑ infrastructure metrics only, APM is empty
Phase 2: Same three services + one OBI container
↑ full distributed traces, zero code changes
Phase 3: Same services on Kubernetes + OBI DaemonSet
↑ same tracing, scales to any cluster
| Requirement | Why |
|---|---|
| A Linux host (or Docker Desktop on Mac/Windows) | eBPF requires the Linux kernel |
| Python 3.9+ | Phase 0 warm-up app |
| Docker & Docker Compose | Phases 1, 2, & 3 (image builds) |
kubectl + a K8s cluster (k3d, kind, or minikube) |
Phase 3 (optional) |
| Splunk Observability Cloud account | Where metrics and traces are sent |
| Your Splunk Access Token (Ingest) | Org Settings > Access Tokens |
Your Splunk Realm (e.g. us0, us1, eu0) |
Shown in your Splunk Observability URL |
A unique name (e.g. jsmith-laptop) |
Used as host.name so you can find your own telemetry |
-
Fork this repo (click the Fork button at the top-right of the repo page).
-
Clone your fork:
git clone https://github.com/<YOUR_GITHUB_USERNAME>/ebpf-examples.git
cd ebpf-examples- Follow each phase in order:
This is a teaching tool. Participants physically edit files at each phase:
- Phase 0: Replace
<REPLACE_ME>placeholders with Splunk credentials. Download and run the OBI binary. - Phase 1: Replace
<REPLACE_ME>placeholders indocker-compose.yaml. Start the stack. Confirm APM is empty. - Phase 2: Copy-paste the OBI service block from the README into the compose file. Watch traces appear.
- Phase 3: Replace
<REPLACE_ME>in the K8s collector manifest. Apply the OBI DaemonSet. Traces appear across the cluster.
An answer key (docker-compose.final.yaml) is provided for the Docker phases if you get stuck.
Once you've completed all phases, see LLM.md for ideas on using an LLM (Cursor, Copilot, ChatGPT, etc.) to add new endpoints, services, error scenarios, and more.