Calcite patterns command brain pattern method#3570
Merged
LantaoJin merged 38 commits intoopensearch-project:mainfrom Jun 11, 2025
Merged
Conversation
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
penghuo
reviewed
Jun 4, 2025
docs/user/ppl/cmd/patterns.rst
Outdated
Comment on lines
+45
to
+48
| * byClause: optional. The log groups to be labeled or aggregated. It could be fields and scalar functions. | ||
| * pattern_method: optional. Specify pattern method to be simple_pattern. By default, it's simple_pattern if the setting ``plugins.ppl.default.pattern.method`` is not specified. | ||
| * pattern_mode: optional. label mode or aggregation mode. Default is label mode. | ||
| * pattern_max_sample_count: optional. The max sample logs to be returned per pattern in aggregation mode. |
Collaborator
There was a problem hiding this comment.
if it is optional, add default value in doc.
Collaborator
Author
There was a problem hiding this comment.
Done. Added default value
docs/user/ppl/cmd/patterns.rst
Outdated
| * pattern_method: optional. Specify pattern method to be brain. By default, it's simple_pattern if the setting ``plugins.ppl.default.pattern.method`` is not specified. | ||
| * pattern_mode: optional. label mode or aggregation mode. Default is label mode. | ||
| * pattern_max_sample_count: optional. The max sample logs to be returned per pattern in aggregation mode. | ||
| * pattern_buffer_limit: optional. This is a special safeguard parameter for BRAIN algorithm to limit internal temporary buffer to hold processed logs. |
docs/user/ppl/cmd/patterns.rst
Outdated
Comment on lines
+60
to
+61
| * pattern_max_sample_count: optional. The max sample logs to be returned per pattern in aggregation mode. | ||
| * pattern_buffer_limit: optional. This is a special safeguard parameter for BRAIN algorithm to limit internal temporary buffer to hold processed logs. |
Collaborator
There was a problem hiding this comment.
if it is optional, add default value in doc.
Collaborator
Author
There was a problem hiding this comment.
Done. Added default value.
docs/user/ppl/cmd/patterns.rst
Outdated
| or | ||
|
|
||
| patterns [new_field=<new-field-name>] [pattern=<pattern>] <field> SIMPLE_PATTERN | ||
| patterns <field> [by byClause...] pattern_method=SIMPLE_PATTERN [pattern_mode=LABEL | AGGREGATION] [pattern_max_sample_count=integer] [new_field=<new-field-name>] [pattern=<pattern>] |
Collaborator
There was a problem hiding this comment.
nit,
all options are under pattern command, we can simpliy it, for instance pattern_method -> method, pattern_mode -> mode
Collaborator
Author
There was a problem hiding this comment.
Renamed those options
docs/user/ppl/cmd/patterns.rst
Outdated
|
|
||
| * field: mandatory. The field must be a text field. | ||
| * byClause: optional. The log groups to be labeled or aggregated. It could be fields and scalar functions. | ||
| * pattern_method: optional. Specify pattern method to be brain. By default, it's simple_pattern if the setting ``plugins.ppl.default.pattern.method`` is not specified. |
Collaborator
There was a problem hiding this comment.
brain or BRAIN, is it case-sensitive?
Member
There was a problem hiding this comment.
I think it should be case-insensitive. @songkant-aws please double check. I suggest to use lower case in syntax doc.
Collaborator
Author
There was a problem hiding this comment.
It's case-insensitive. Now they are all in lower cases in syntax doc.
docs/user/ppl/cmd/patterns.rst
Outdated
|
|
||
| * field: mandatory. The field must be a text field. | ||
| * byClause: optional. The log groups to be labeled or aggregated. It could be fields and scalar functions. | ||
| * pattern_method: optional. Specify pattern method to be brain. By default, it's simple_pattern if the setting ``plugins.ppl.default.pattern.method`` is not specified. |
Collaborator
There was a problem hiding this comment.
By default, it's simple_pattern if the setting
plugins.ppl.default.pattern.methodis not specified.
The default value is configured by the setting plugins.ppl.default.pattern.method.
docs/user/ppl/cmd/patterns.rst
Outdated
| * field: mandatory. The field must be a text field. | ||
| * byClause: optional. The log groups to be labeled or aggregated. It could be fields and scalar functions. | ||
| * pattern_method: optional. Specify pattern method to be brain. By default, it's simple_pattern if the setting ``plugins.ppl.default.pattern.method`` is not specified. | ||
| * pattern_mode: optional. label mode or aggregation mode. Default is label mode. |
Collaborator
There was a problem hiding this comment.
ditto, The default value is configured by the setting?
| +-------------------------------------------------------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | ||
| | patterns_field | pattern_count | sample_logs | | ||
| |-------------------------------------------------------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | <*IP*> - <*> [<*>/Sep/<*>:<*>:<*>:<*> <*>] <*> <*> HTTP/<*><*>" <*> <*> | 4 | [177.95.8.74 - upton5450 [28/Sep/2022:10:15:57 -0700] "HEAD /e-business/mindshare HTTP/1.0" 404 19927,127.45.152.6 - pouros8756 [28/Sep/2022:10:15:57 -0700] "GET /architectures/convergence/niches/mindshare HTTP/1.0" 100 28722,118.223.210.105 - - [28/Sep/2022:10:15:57 -0700] "PATCH /strategize/out-of-the-box HTTP/1.0" 401 27439,210.204.15.104 - - [28/Sep/2022:10:15:57 -0700] "POST /users HTTP/1.1" 301 9481] | |
Collaborator
There was a problem hiding this comment.
- In aggregation mode, does the pattern command collect sample values of IP addresses?
- What is the output syntax of the pattern_fields? Can it be used directly in search queries?
Collaborator
There was a problem hiding this comment.
- in IT, the detected pattern is
PacketResponder failed <token1> blk_<token2>what does IP means, is it token?
Collaborator
Author
There was a problem hiding this comment.
- Yes, when Calcite is enabled, the sample logs will be converted to sample tokens in different position.
- pattern_field will be string in format like
PacketResponder failed <token1> blk_<token2>. tokens will be a map like {token1: [...], token2: [...]}. Not sure what does it mean by using them directly in search queries? - <IP> is one of variable placeholder of BrainLogParser's output. Yes, it's token in V2 output format.
I have updated the syntax docs with more examples. When Calcite is enabled, the output syntax is a pattern string with <token*> placeholder plus a map of corresponding tokens. User can leverage those two output columns for further query.
Collaborator
There was a problem hiding this comment.
Not sure what does it mean by using them directly in search queries?
For instance,
As user, the detected pattern is <token1> - <token2> [<token3>/Sep/<token4>:<token5>:<token6>:<token7> <token8>] <token9> <token10> HTTP/<token11><token12>\" <token13> <token14>, I want to search logs match this pattern.
I think it can not been directly used, need to rewise the query, it is out of scope this PR.
LantaoJin
reviewed
Jun 7, 2025
Member
LantaoJin
left a comment
There was a problem hiding this comment.
Please update the code base and address the latest commends.
docs/user/ppl/cmd/patterns.rst
Outdated
|
|
||
| * field: mandatory. The field must be a text field. | ||
| * byClause: optional. The log groups to be labeled or aggregated. It could be fields and scalar functions. | ||
| * pattern_method: optional. Specify pattern method to be brain. By default, it's simple_pattern if the setting ``plugins.ppl.default.pattern.method`` is not specified. |
Member
There was a problem hiding this comment.
I think it should be case-insensitive. @songkant-aws please double check. I suggest to use lower case in syntax doc.
Comment on lines
+45
to
+48
| PATTERN_MODE: 'PATTERN_MODE'; | ||
| PATTERN_METHOD: 'PATTERN_METHOD'; | ||
| PATTERN_MAX_SAMPLE_COUNT: 'PATTERN_MAX_SAMPLE_COUNT'; | ||
| PATTERN_BUFFER_LIMIT: 'PATTERN_BUFFER_LIMIT'; |
Member
There was a problem hiding this comment.
How above simplify the arguments by remove pattern_ prefix?
Collaborator
Author
There was a problem hiding this comment.
Removed pattern_ prefix
Comment on lines
+28
to
+31
| DEFAULT_PATTERN_METHOD("plugins.ppl.default.pattern.method"), | ||
| DEFAULT_PATTERN_MODE("plugins.ppl.default.pattern.mode"), | ||
| DEFAULT_PATTERN_MAX_SAMPLE_COUNT("plugins.ppl.default.pattern.max.sample.count"), | ||
| DEFAULT_PATTERN_BUFFER_LIMIT("plugins.ppl.default.pattern.buffer.limit"), |
Member
There was a problem hiding this comment.
Can we remove the default part? It's meaningless IMO.
plugins.ppl.default.pattern.method -> plugins.ppl.pattern.method
Collaborator
Author
There was a problem hiding this comment.
Removed default part
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
Signed-off-by: Songkan Tang <songkant@amazon.com>
penghuo
reviewed
Jun 10, 2025
| * max_sample_count: optional. Max sample logs returned per pattern in aggregation mode (default: 10). The max_sample_count is configured by the setting ``plugins.ppl.pattern.max.sample.count``. | ||
| * buffer_limit: optional. Safeguard parameter for ``brain`` algorithm to limit internal temporary buffer size (default: 100,000, min: 50,000). The buffer_limit is configured by the setting ``plugins.ppl.pattern.buffer.limit``. | ||
| * new_field: Alias of the output pattern field. (default: "patterns_field"). | ||
| * algorithm parameters: optional. Algorithm-specific tuning: |
Collaborator
There was a problem hiding this comment.
nit, this line is in italic format, is it expected? https://github.com/opensearch-project/sql/blob/8f468a5b92b4b3a2ca5fb2798f78f329c88b4581/docs/user/ppl/cmd/patterns.rst#syntax
| * new_field: Alias of the output pattern field. (default: "patterns_field"). | ||
| * algorithm parameters: optional. Algorithm-specific tuning: | ||
| - ``simple_pattern`` : Define regex via "pattern". | ||
| - ``brain`` : Adjust sensitivity with variable_count_threshold (int > 0) and frequency_threshold_percentage (double 0.0 - 1.0). |
Collaborator
There was a problem hiding this comment.
nit, explain what is variable_count_threshold and frequency_threshold_percentage
| +-------------------------------------------------------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | ||
| | patterns_field | pattern_count | sample_logs | | ||
| |-------------------------------------------------------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | <*IP*> - <*> [<*>/Sep/<*>:<*>:<*>:<*> <*>] <*> <*> HTTP/<*><*>" <*> <*> | 4 | [177.95.8.74 - upton5450 [28/Sep/2022:10:15:57 -0700] "HEAD /e-business/mindshare HTTP/1.0" 404 19927,127.45.152.6 - pouros8756 [28/Sep/2022:10:15:57 -0700] "GET /architectures/convergence/niches/mindshare HTTP/1.0" 100 28722,118.223.210.105 - - [28/Sep/2022:10:15:57 -0700] "PATCH /strategize/out-of-the-box HTTP/1.0" 401 27439,210.204.15.104 - - [28/Sep/2022:10:15:57 -0700] "POST /users HTTP/1.1" 301 9481] | |
Collaborator
There was a problem hiding this comment.
Not sure what does it mean by using them directly in search queries?
For instance,
As user, the detected pattern is <token1> - <token2> [<token3>/Sep/<token4>:<token5>:<token6>:<token7> <token8>] <token9> <token10> HTTP/<token11><token12>\" <token13> <token14>, I want to search logs match this pattern.
I think it can not been directly used, need to rewise the query, it is out of scope this PR.
| import org.opensearch.sql.common.patterns.PatternUtils.ParseResult; | ||
|
|
||
| public class LogPatternAggFunction implements UserDefinedAggFunction<LogParserAccumulator> { | ||
| private int bufferLimit = 100000; |
| } | ||
|
|
||
| public static class LogParserAccumulator implements Accumulator { | ||
| private final List<String> logMessages; |
Collaborator
There was a problem hiding this comment.
Access to logMessages is threadsafe?
penghuo
approved these changes
Jun 10, 2025
LantaoJin
approved these changes
Jun 11, 2025
penghuo
pushed a commit
that referenced
this pull request
Jun 16, 2025
* Revert simple_pattern window function change to recover pushdown ability Signed-off-by: Songkan Tang <songkant@amazon.com> * Add SIMPLE_PATTERN patterns command support based on parse command Signed-off-by: Songkan Tang <songkant@amazon.com> * Address minor comments Signed-off-by: Songkan Tang <songkant@amazon.com> * Address comments part 2 Signed-off-by: Songkan Tang <songkant@amazon.com> * Make allowCast for pattern VARCHAR literal Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix spotless Signed-off-by: Songkan Tang <songkant@amazon.com> * Minor ut failure fix Signed-off-by: Songkan Tang <songkant@amazon.com> * Brain patterns command in Calcite with combined UDF and UDAF Signed-off-by: Songkan Tang <songkant@amazon.com> * Revert debug flag Signed-off-by: Songkan Tang <songkant@amazon.com> * Minor ut failure fix Signed-off-by: Songkan Tang <songkant@amazon.com> * Minor ut failure fix part2 Signed-off-by: Songkan Tang <songkant@amazon.com> * Pick missing ast Window from main Signed-off-by: Songkan Tang <songkant@amazon.com> * Support agg and label mode and new model for patterns command Signed-off-by: Songkan Tang <songkant@amazon.com> * Remove unnecessary files and comments Signed-off-by: Songkan Tang <songkant@amazon.com> * Use uncollect_patterns table function to flatten patterns list Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix partial UT Signed-off-by: Songkan Tang <songkant@amazon.com> * Add 3570 yaml tests Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix plans in explain ITs Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix pushdown ITs failure Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix doctest examples for V2 engine results Signed-off-by: Songkan Tang <songkant@amazon.com> * Minor fix after rebasing Signed-off-by: Songkan Tang <songkant@amazon.com> * Uncomment build.gradle change Signed-off-by: Songkan Tang <songkant@amazon.com> * Address minor comment Signed-off-by: Songkan Tang <songkant@amazon.com> * Address patterns doc comments and fix conflicts Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix doctest Signed-off-by: Songkan Tang <songkant@amazon.com> * Reuse expand command plan to replace hacky uncollect_patterns UDTF Signed-off-by: Songkan Tang <songkant@amazon.com> * Minor fix after resolving merge conflicts Signed-off-by: Songkan Tang <songkant@amazon.com> * Refactor duplicate building expand rel node logic Signed-off-by: Songkan Tang <songkant@amazon.com> * Fix the issue of expand command plan executing main query twice Signed-off-by: Songkan Tang <songkant@amazon.com> --------- Signed-off-by: Songkan Tang <songkant@amazon.com> Signed-off-by: xinyual <xinyual@amazon.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This aims to resolve #3569
BRAINpattern method ofPatternscommand is implemented by combined UDF and UDAF.Related Issues
Resolves #[Issue number to be closed when this PR is merged]
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.