Improved patterns command with new algorithm

[songkant-aws]

Description

This PR introduces enhancement on original patterns command. It keeps the patterns command naming and rebuild it with specific window functions to parse log messages with different pattern method(log parser algorithms). See this RFC: #3251

The sample query input and output will be like:

• New brain algorithm log parser:

• Original regex based patterns command will have minor change:

Caveat:
For now, this is a draft PR for initial review so that we can collect major feedbacks to be addressed later.

Related Issues

Resolves #3251

Check List

• New functionality includes testing.
• New functionality has been documented.
• New functionality has javadoc added.
• New functionality has a user manual doc added.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[YANG-DB]

Thanks for the initiative!!

[penghuo]

In general,

• add user facing doc to explain new BRAIN alg with example will be helpfull.
• add UT could help reviwer understand the logic also. @dai-chen did a good example. https://github.com/opensearch-project/sql/blob/main/core/src/main/java/org/opensearch/sql/expression/window/frame/PeerRowsWindowFrame.java
• add benchmark to compare BRAIN and SIMPLE also help a lot.

[penghuo]

Could we introduce a setting to control the default pattern algorithms?

[songkant-aws]

Ok, I see. Like a java property to specify default algorithm name? I can add that.

[penghuo]

do we need StreamPatternRowWindowFrame? could we just use CurrentRowWindowFrame instead? patternExpression could be member of StreamPatternWindowFunction?

[songkant-aws]

Sure, I will remove the need of StreamPatternRowWindowFrame in the next revision.

[penghuo]

revert unnecessary change.

[penghuo]

BufferPatternRowsWindowFrame should have it own spec, doet it means over all rows? @dai-chen WindowFrame definition and How to use WIndowFrame should be seperate, right?

[songkant-aws]

For simplicity, I set the spec to empty partition by and empty sort by during AST tree parsing unresolved WindowFunction, which treats the window frame range is all rows on coordinator node. Because I haven't seen requirements on sorting and partitioning on other columns.

I think we can add partition by and sort by syntax if we see values in case users want to specify them. Thoughts?

[dai-chen]

Yes, I think users are free to use pattern functions added with any window frame definition.

[dai-chen]

Yes, I think users are free to use pattern functions added with any window frame definition.

[dai-chen]

I'm thinking are these new algorithm really window function? If users specify order by or partition by, does it still generate meaningful result?

[dai-chen]

Just wonder if pattern is mostly syntax sugar for pattern window function, is new logical operator still required?

[songkant-aws]

After the integration with LogicalWindow, I see they are quite similar. Yeah, I think Pattern operator is probably not needed.

[songkant-aws]

I don't find the Window unresolvedPlan. So replace Pattern with Window instead.

[dai-chen]

order by expression in window definition decides who're peers right? What's the order by expression for buffer (offline) pattern function? I didn't find it and may miss it in design doc:

Project[message#1, patterns_field#2]
+- Window[brain(message#1), windowsSpec(partitionBy=null, frame=PeerRowsWindowFrame)]
   +- OpenSearchIndexScan

[dai-chen]

A high-level question about the long-term approach: Currently, the pattern command always generates a new field, which offers flexibility as users can perform aggregation (stats) or other operations on it afterward. However, for large datasets, I assume most users would prefer functionality similar to CloudWatch Logs Query Syntax - Pattern.

Do you see any potential issues with the current implementation, which is based on SQL window functions combined with aggregate functions, as we scale this feature in the future?

[songkant-aws]

Do you see any potential issues with the current implementation, which is based on SQL window functions combined with aggregate functions, as we scale this feature in the future?

@dai-chen It's a good question. Actually, it's one of my previous thought to use a new specific operator to directly return grouped logs with sample count or grouped samples.

It's more like a compound aggregation operator with a default group by. But current aggregation abstraction only supports row by row iteration. The log pattern algorithms cover both streaming and buffering computing paradigm. Then I figure out this is more close to window operator's abstraction. To achieve what Cloudwatch has done, I think we could extend pattern functions from AggregateWindowFunction that has a special aggregator state structure.

As to partition by and sort by specification, my initial plan is to deliver a simple version without them because that's probably enough.
partition by is probably more useful than sort by. Imagine users may want to see different log patterns for INFO, WARN, ERROR partitions.
I haven't seen a use case for sort by yet. Maybe they need to see latest logs sort by date?

[songkant-aws]

To scale the pattern function, I think other issues are pending investigation.

1. How to push down operator to OpenSearch data node? Is Painless script one of option?
2. OpenSearch doesn't have shuffle mechanism for now, how to perform large dataset aggregation like operation with simple map reduce? If data volume is quite large, spilling additional data to disk is probably required during execution.
3. To log pattern, streaming algorithms are probably more suitable to large scale dataset. We may need to introduce more by then.

[songkant-aws]

AvgTime benchmark:

Benchmark                                          (testDataType)  Mode  Cnt  Score    Error  Units
ComparisonOperatorBenchmark.testEqualOperator                 int  avgt    3  0.002 ±  0.001  ms/op
ComparisonOperatorBenchmark.testEqualOperator              string  avgt    3  0.005 ±  0.001  ms/op
ComparisonOperatorBenchmark.testEqualOperator                date  avgt    3  0.001 ±  0.001  ms/op
ComparisonOperatorBenchmark.testGreaterOperator               int  avgt    3  0.002 ±  0.001  ms/op
ComparisonOperatorBenchmark.testGreaterOperator            string  avgt    3  0.005 ±  0.002  ms/op
ComparisonOperatorBenchmark.testGreaterOperator              date  avgt    3  0.001 ±  0.001  ms/op
ComparisonOperatorBenchmark.testLessOperator                  int  avgt    3  0.002 ±  0.001  ms/op
ComparisonOperatorBenchmark.testLessOperator               string  avgt    3  0.006 ±  0.001  ms/op
ComparisonOperatorBenchmark.testLessOperator                 date  avgt    3  0.002 ±  0.001  ms/op
PatternsWindowFunctionBenchmark.testBrain                     N/A  avgt    3  0.131 ±  0.002  ms/op
PatternsWindowFunctionBenchmark.testSimplePattern             N/A  avgt    3  0.001 ±  0.001  ms/op

[songkant-aws]

This PR still needs some action items.

1. Pending adding setting to switch default log pattern algorithm
2. Pending discussion whether we want to deliver partition by and order by given its effect. (Log patterns are probably special window function that is not sensitive to partition by and order by)