II · 14 · Proactive Monitoring: Leading Indicators & Capacity Runway

Source: Apache Kafka 4.4.0-SNAPSHOT (git 04bfe7d, 2026-06-15), KRaft mode. Operational guidance grounded in source code and cited benchmarks.

The golden signals in op08 are honest but cruel: OfflinePartitionsCount > 0 means partitions are already unavailable; UncleanLeaderElectionsPerSec > 0 means data is already gone. They are lagging, they fire at the cliff edge, not before it. This chapter is about the metrics that buy you lead time: the slopes that show a number marching toward a limit, the headroom that tells you how far the limit still is, and the saturation bands that light up minutes-to-days before queuing and errors appear. Every leading indicator here is sourced to a real metric in the code with a default-grounded danger band, a typical lead time, and the mechanism that makes it predictive. The payoff is a posture change: from responding to outages to spending runway deliberately.

Lagging vs. leading: the spine of the chapter

A lagging indicator is a state that only becomes true once damage has occurred. UnderReplicatedPartitions is the archetype: by the time the in-sync replica set has actually shrunk, the partition is already at reduced durability. A leading indicator is one of three shapes, each of which exists before the lagging signal:

• Slope / rate-of-change. A level metric whose trend is what matters. Consumer records-lag of 50,000 is meaningless in isolation; a sustained positive slope of +2,000 records/s means the consumer is structurally below required throughput and will breach SLA, the question is only when.
• Headroom / runway. The distance to a limit, expressed in the unit that limit is measured in: free disk bytes converted to days-to-full, partition count as a percentage of the per-broker ceiling, file descriptors remaining. Runway turns an invisible threshold into a countdown.
• Saturation band. A utilisation gauge crossing into a danger zone well before it pins. RequestHandlerAvgIdlePercent falling from 0.8 to 0.3 is not yet an outage, but it is the warning that the I/O thread pool is filling and request-queue time is about to climb non-linearly.

Three monitoring disciplines

(A) Alert on the slope, rate-of-change and burn-rate

For any metric trending toward a cliff, the alert should fire on the rate at which it approaches, not on a fixed level. Two implementations dominate:

• Linear slope on a level metric. Compute the trend over a sliding window (e.g. PromQL deriv(kafka_consumer_records_lag[15m]) or predict_linear(...[1h], 4*3600)). Alert when the projected value crosses the limit within your response budget. LinkedIn's Burrow formalised exactly this for consumer lag: it classifies a group OK/WARNING/ERROR by evaluating the lag trend over a sliding window of committed offsets, so no per-topic threshold needs tuning (LinkedIn Burrow, empirical).
• Burn-rate on an error budget. Borrowed from Google SRE: if your SLO permits X bad events per window, alert when the current consumption rate would exhaust the remaining budget before the window ends. A fast burn (e.g. 14.4× budget over 1 h) pages; a slow burn (e.g. 3× over 6 h) tickets. This is the canonical proactive pattern and is detailed in the SLO section below.

(B) Track headroom / runway

Runway converts a resource limit into a time or percentage you can put on a dashboard and trend. The pattern is always runway = remaining / consumption_rate. Examples developed below: disk days_to_full = free_bytes / (ingress_per_day × RF); partition headroom = 1 − (partitions_on_broker / ceiling); lag-time runway = records_lag / consume_rate. The discipline: pick the resource, measure both terms, alert on the quotient trending down, not the numerator alone.

(C) Watch saturation bands

Kafka exposes several utilisation gauges as fractions in [0,1]. They degrade gracefully then suddenly: idle time falls linearly with load until the queue starts to fill, at which point latency rises super-linearly (classic queueing behaviour, M/M/1: wait time ∝ 1/(1−ρ)). Watching the band, entering, say, 0.3–0.2, gives lead time before the knee. The two broker bands and their exact source mechanics:

The leading-indicator catalogue

For each indicator: what it predicts, the early-warning band/trend, the typical lead time it buys, and the source. The lead times are operational rules of thumb (empirical), not guarantees, they scale with how aggressively you provisioned headroom.

1 · Consumer-lag trend (slope of records-lag + time-lag)

Predicts: an SLA breach or retention overrun, the consumer falling permanently behind, or lag exceeding the retention window so records age out unread. Mechanism: a sustained positive slope on records-lag-max (client-side, FetchMetricsRegistry.java:102) means the consumer group's net drain rate is below the production rate. Two runway quotients fall out, both remaining ÷ rate. (a) Recovery runway: recovery_time = current_lag ÷ net_drain_rate, worked with an illustrative lag of 500,000 records draining at a net 5,000 records/s (consume-rate minus produce-rate): 500,000 records ÷ 5,000 records/s = 100 s to catch up (the records cancel, leaving seconds); if net drain is ≤ 0 there is no recovery. (b) Time-lag, because retention is time-bound not count-bound: time_lag = current_lag ÷ consume_rate, e.g. 500,000 records ÷ 20,000 records/s consumed = 25 s behind the tail; compare that against the retention window, not against the raw count. Band: alert when the 15-minute slope is positive for > N consecutive windows, or when projected time-lag will reach the retention limit within your response budget. Lead time: minutes-to-hours, set by how much lag-time runway you keep relative to retention. Cross-ref op03 (partitioning & parallelism), Part I 17.

2 · RequestHandlerAvgIdlePercent declining into a band

Predicts: I/O-thread saturation and rising RequestQueueTimeMs before produce/fetch requests start timing out. Mechanism: the meter at KafkaRequestHandler.scala:253 measures the fraction of time the num.io.threads pool spends blocked on requestChannel.receiveRequest(300) (:117) instead of handling work. As load rises the pool drains; once idle → 0 the request queue fills and RequestQueueTimeMs rises super-linearly. Band: warning at 0.3, action at 0.2 (Instaclustr: "constantly below 0.2 → add capacity", empirical). Lead time: minutes to hours of advance notice depending on workload growth rate. Cross-ref Part I 06, 07.

3 · NetworkProcessorAvgIdlePercent declining

Predicts: network-thread saturation and rising ResponseQueueTimeMs. Mechanism: identical logic for the num.network.threads processors; the gauge (SocketServer.scala:120) is the mean per-processor io-wait-ratio. Band: Confluent guidance "ideally > 0.4"; below ~0.3 raise num.network.threads (empirical). Watch MemoryPoolAvailable (SocketServer.scala:134) alongside, if the network read buffer pool is draining to zero, the socket layer is back-pressuring. Lead time: minutes to hours. Cross-ref Part I 06.

4 · Page-cache pressure (disk-read rate while consumers are caught up)

Predicts: the working set outgrowing RAM, and consumers about to fall off the zero-copy/sendfile path onto disk. Mechanism: Kafka serves tail reads from the OS page cache via sendfile (Part I 09); if all consumers are caught up to the tail and the broker is still doing physical disk reads (node_disk_reads climbing), the hot set no longer fits in cache and reads will increasingly miss. The reference documents the "catch-up tax": historical reads evict the hot tail and spike p99 produce ~2 ms → ~250 ms with disk I/O to 100% (KIP-405 tests, empirical). Band: non-zero and rising disk-read rate while max consumer lag ≈ 0. Lead time: hours-to-days as the working set creeps up; sudden if a backfill consumer starts reading cold data. Mitigations: more RAM, or tiered storage (Part I 05) to keep local retention small. Cross-ref op04, Part I 03.

5 · IsrShrinksPerSec ticking up (shrinks that re-expand)

Predicts: brokers beginning to struggle (GC, disk, network) before sustained UnderReplicatedPartitions or offline partitions. Mechanism: a follower is dropped from the ISR if it fails to reach the leader's log-end-offset within replica.lag.time.max.ms, default 30000 ms (ReplicationConfigs.java:55). A follower that briefly stalls, a GC pause, a disk hiccup, shrinks then re-expands. A rising rate of IsrShrinksPerSec with matching IsrExpandsPerSec is the cluster flickering at the edge: each individual shrink self-heals, but the increasing frequency is the leading edge of trouble that will eventually produce a shrink with no matching expand (= true URP). Band: any shrink/expand churn above a near-zero steady-state baseline; investigate shrinks without a matching expand immediately. Lead time: minutes. Cross-ref Part I 08, op07.

6 · Disk-free runway (days-to-full)

Predicts: a full-disk outage days ahead. Mechanism: on No space left on device the broker calls Exit.halt(1) with no graceful shutdown (empirical; reference §4). The runway is computable as a remaining ÷ rate quotient: a broker stores RF copies of the cluster's bytes-in (its share of leader and follower replicas), so it fills at RF × the cluster's per-broker ingress, and days_to_full = free_bytes ÷ (ingress_bytes_per_day_per_broker × RF). Band: alert when projected days-to-full < lead-time-to-add-capacity (commonly 7–14 days), and a hard backstop at 85% used (AWS MSK KafkaDataLogsDiskUsed ≥ 85%, empirical). Lead time: days, the longest-lead indicator in the catalogue, and the one most worth automating. Cross-ref op04, op07.

7 · Partition-count headroom (% of per-broker ceiling)

Predicts: hitting the per-broker partition limit and the slow failover that accompanies high partition density. Mechanism: partition count is bounded by file descriptors, fetcher overhead, and on Linux by vm.max_map_count. Leader-election work also scales with leaderships held, so density predicts longer outages on the next failure. Band: headroom = 1 − (partitions_on_broker ÷ ceiling); warn at < 30% headroom, act at < 15%. Lead time: days-to-weeks (partition growth is usually deliberate). Cross-ref op02, op03, Part I 11.

8 · p99 produce/fetch latency drift

Predicts: an SLA breach before the alert line is crossed. Mechanism: the request-time breakdown TotalTimeMs = RequestQueueTimeMs + LocalTimeMs + RemoteTimeMs + ResponseQueueTimeMs + ResponseSendTimeMs (+ ThrottleTimeMs) (reference §5, empirical). A slow upward drift in any component is a leading edge: rising RemoteTimeMs → followers slowing (links to indicator 5); rising LocalTimeMs → disk/flush/GC; rising RequestQueueTimeMs → handler starvation (indicator 2). Band: alert on a sustained week-over-week or day-over-day increase in the p99, not only the absolute crossing, e.g. p99 up > 50% vs. a 7-day baseline. Lead time: hours-to-days. Cross-ref Part I 07, op08.

9 · GC pause frequency/duration trending up

Predicts: soft failures cascading, ISR drops, session timeouts, rebalances. Mechanism: a stop-the-world pause that exceeds replica.lag.time.max.ms internals or a client's session.timeout.ms (default 45000 ms, ConsumerConfig.java:438) causes the broker to miss fetches and clients to miss heartbeats. The reference documents 500 ms pauses triggering rebalances and multi-second Full GCs causing ISR drops (empirical); LinkedIn's busy clusters run ~21 ms p90 pause, < 1 young GC/s. Band: p99 pause > 50 ms = warning, > 200 ms = critical (empirical); also alert on rising frequency, which precedes a creeping heap. Lead time: hours-to-days as heap pressure builds. The conventional cap of ~6 GiB heap (a planning heuristic, reference §3 / op05, not a hard limit) exists precisely so pauses stay short and the rest of RAM serves page cache (indicator 4): on a 64 GiB box, a 6 GiB heap leaves ~28–30 GiB for the OS cache. Cross-ref op05, op07.

10 · Quota throttle-time becoming non-zero

Predicts: client-visible slowdown, then timeouts and errors, as a producer/consumer approaches its quota. Mechanism: when a client exceeds a byte-rate or request quota the broker delays the response and reports the delay; the client sees produce-throttle-time-avg / produce-throttle-time-max (SenderMetricsRegistry.java:123-126) and fetch-throttle-time-avg/-max (FetchMetricsRegistry.java:107-110). Throttling is graceful at first, latency just rises, but as the client backs up it heads toward buffer exhaustion (indicators 16/17) and eventual send failures. Band: any sustained non-zero throttle-time on a client that is supposed to run unthrottled. Lead time: minutes-to-hours before the throttle turns into client errors. Cross-ref Part I 19, 13, op08.

11 · Controller event-queue time/backlog rising

Predicts: metadata-operation slowness, topic creates, partition reassignments, leader elections all queuing behind a busy controller. Mechanism: the KRaft controller processes events on a single-threaded loop; EventQueueTimeMs (QuorumControllerMetrics.java:48-49) is how long an event waits before processing, and AvgIdleRatio (:52) is the loop's headroom. As the controller saturates, queue time climbs and metadata propagation (Part I 12) slows cluster-wide. Band: rising EventQueueTimeMs p99, or AvgIdleRatio entering 0.5→0.3. Cross-check TimedOutBrokerHeartbeatCount (:62) and LastAppliedRecordLagMs (:60), a standby controller falling behind on the metadata log is itself a leading risk to failover speed. Lead time: minutes-to-hours. Cross-ref Part I 11, 10.

12 · Rebalance rate increasing

Predicts: consumer-group instability and processing stalls. Mechanism: each rebalance pauses consumption for the group; a rising rebalance-rate-per-hour (ConsumerRebalanceMetricsManager.java:70) or any non-zero failed-rebalance-rate-per-hour (:74) signals churn, flapping members, slow processing tripping max.poll.interval.ms (default 300000 ms, ConsumerConfig.java:629), or unstable membership. Watch last-rebalance-seconds-ago (:97): a value that keeps resetting to near-zero is a rebalance storm in progress. Band: rebalance-rate above the group's steady-state baseline, or failed-rebalance-rate > 0. Lead time: minutes, fast-moving, but earlier than the lag spike the storm eventually produces. Cross-ref Part I 13, op07.

13 · Connection count / creation-rate approaching caps

Predicts: hitting max.connections / max.connections.per.ip limits, or file-descriptor exhaustion, causing new clients to be rejected. Mechanism: each connection consumes an FD and listener slot; the broker tracks connection-count (Selector.java:1260) and the standard connection-creation-rate. A climbing creation-rate often indicates clients in a connect/disconnect loop (mis-tuned pools, repeated auth failures) that will exhaust the cap. ExpiredConnectionsKilledCount (SocketServer.scala:136) rising shows the broker reaping idle connections under connections.max.idle.ms pressure. Band: connection-count headroom < 20% of the configured cap, or a sustained non-zero creation-rate on a stable client population. Lead time: minutes-to-hours. Cross-ref op02, Part I 06.

14 · Log-flush time creeping up = disk slowing

Predicts: disk degradation, which will surface as rising LocalTimeMs, ISR shrinks, and eventually produce stalls. Mechanism: LogFlushRateAndTimeMs (LogSegment.java:77, kafka.log:type=LogFlushStats) times the fsync of log segments. A slow upward creep means the disk is taking longer to accept writes, a failing SSD, a noisy neighbour on shared storage, or a saturated I/O queue. Band: any sustained increase over the disk's established baseline (the absolute number is hardware-specific). Lead time: hours-to-days for gradual degradation; correlate with rising LocalTimeMs and falling RequestHandlerAvgIdlePercent. Cross-ref Part I 03, op04.

15 · Leader-election time growing with partition count

Predicts: longer outages on the next broker failure. Mechanism: LeaderElectionRateAndTimeMs (controller) reports time spent without a leader during elections; unclean broker loss costs roughly 5 ms × #leader-partitions-on-broker (Jun Rao 2015, empirical), so as partition density grows the failover duration grows with it. This is a second-order leading indicator: it predicts the severity of a future incident, letting you rebalance or add brokers before density makes the next failure painful. Band: trend election time vs. partition count; act when projected unavailability on a single-broker loss exceeds your SLO. Lead time: weeks (it tracks slow partition growth). Cross-ref op02, op11, Part I 11.

Client-team leading indicators (no broker access required)

The part most guides miss: a producer or consumer application team can be proactive entirely from their own client JMX metrics, with zero broker access, and frequently see trouble building before the platform team's lagging broker alerts fire. The data lives in the client's org.apache.kafka.common.metrics.Metrics registry and is also pushed centrally via KIP-714 client telemetry (ClientMetricsManager.java handles GetTelemetrySubscriptions/PushTelemetry at :159:188; Part I 19), so a platform team can scrape app-side signals without app-side scrape endpoints.

Consumer-side leading indicators

Producer-side leading indicators

The producer's leading-indicator story is a pipeline: the RecordAccumulator buffers records, the Sender drains them to brokers, and the BufferPool backstops memory. When the broker can't keep up (or batching is mis-tuned), pressure propagates backward through these stages in a predictable order, each with its own metric, giving a clean early-warning sequence before the terminal max.block.ms timeout.

Producer / consumer proactive checklist

The runway / headroom dashboard

Assemble a single "how much runway is left" panel set. Each panel is a quotient (remaining ÷ rate) trended over time, with the alert on the quotient, not the numerator. This is the proactive counterpart to the golden-signal status board in op08.

SLO error-budget & burn-rate framing

The most disciplined proactive pattern is the burn-rate alert: define an SLO (e.g. "99.9% of produce requests succeed within 50 ms over 30 days"), derive an error budget, and alert when the current consumption rate of the budget would exhaust it before the window closes. This unifies the catalogue: every leading indicator above is, ultimately, an early read on whether you are about to start burning budget.

Error budget

For an availability SLO of S over window W: budget = (1 − S) × W. Worked: (1 − 0.999) × 43,200 min = 0.001 × 43,200 min = 43.2 min of allowed "bad" per 30 days (the % cancels; result is in minutes). So 0.1% of a 30-day window ≈ 43 min.

Burn rate

burn_rate = (bad events ÷ total events) ÷ (1 − S), a dimensionless multiple of the budget's steady drain. A burn rate of 1 exactly exhausts the budget at the window's end; > 1 exhausts it early. (E.g. failing 1.44% of requests over an hour = 0.0144 ÷ 0.001 = 14.4×.)

Fast-burn page

14.4× over a 1-hour window. Why "~2% of the budget in 1 h": at 14.4× the budget drains 14.4× faster than the 30-day baseline, and 1 h is 1 ÷ (30 × 24) = 1/720 of the window, so the fraction consumed is 14.4 × (1 h ÷ 720 h) = 14.4 ÷ 720 = 0.02 = 2% of the 30-day budget in one hour (the hours cancel). Burning 2%/hour empties the budget in ~50 h → page; the cliff is hours-to-days away.

Slow-burn ticket

3× over a 6-hour window. Fraction consumed: 3 × (6 h ÷ 720 h) = 18 ÷ 720 = 0.025 = 2.5% of the 30-day budget over 6 h → at that pace the budget lasts 720 h ÷ 3 = 240 h ≈ 10 days → ticket; the cliff is days away, but the trend is real.

Master table, the leading-indicator catalogue

What to do this week

1. Build the runway dashboard. Five quotient panels (throughput idle%, disk days-to-full, partition headroom, FD/connection headroom, lag-time runway). Alert on the quotient trend, not the numerator.
2. Convert your top lagging alerts to pairs. For each golden signal in op08, add the leading partner from the invariant box above. An unpaired golden signal is an outage you can only react to.
3. Add multi-window burn-rate alerts on your produce-success and consumer-lag SLOs: a fast-burn page and a slow-burn ticket. The slow-burn is your proactive early warning.
4. Push the client checklist to app teams. Producer: trend record-queue-time-max and buffer-available-bytes. Consumer: trend records-lag-max slope and poll-interval headroom. Wire app-side metrics centrally via KIP-714 so the platform team sees them too.
5. Validate idle gauges are 0–1. Confirm RequestHandlerAvgIdlePercent reports a fraction before trusting any band (KAFKA-7295 / KIP-1207 footguns).

The discipline is simple to state and hard to keep: every metric that can break your cluster has a derivative and a distance, and the derivative and distance are visible before the break. Monitor those, and most pages become tickets you closed days earlier.