Merge pull request #327 from ClickHouse/log-clustering

lio-p · web-flow · commit b3cef7ad3ded · 2025-10-29T13:50:11.000Z
Log clustering
diff --git a/blog-examples/log_clustering/drain3_miner.py b/blog-examples/log_clustering/drain3_miner.py
@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+import sys, json, argparse
+from collections import defaultdict
+from io import StringIO
+import contextlib
+from drain3 import TemplateMiner
+from drain3.template_miner_config import TemplateMinerConfig
+from drain3.file_persistence import FilePersistence
+
+INI = """
+[SNAPSHOT]
+snapshot_interval_minutes = 10
+compress_state = True
+
+[MASKING]
+masking = [
+  {"regex_pattern":"((?<=[^A-Za-z0-9])|^)(([0-9a-f]{2,}:){3,}([0-9a-f]{2,}))((?=[^A-Za-z0-9])|$)", "mask_with": "ID"},
+  {"regex_pattern":"((?<=[^A-Za-z0-9])|^)(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})((?=[^A-Za-z0-9])|$)", "mask_with": "IP"},
+  {"regex_pattern":"((?<=[^A-Za-z0-9])|^)([0-9a-f]{6,} ?){3,}((?=[^A-Za-z0-9])|$)", "mask_with": "SEQ"},
+  {"regex_pattern":"((?<=[^A-Za-z0-9])|^)([0-9A-F]{4} ?){4,}((?=[^A-Za-z0-9])|$)", "mask_with": "SEQ"},
+  {"regex_pattern":"((?<=[^A-Za-z0-9])|^)(0x[a-f0-9A-F]+)((?=[^A-Za-z0-9])|$)", "mask_with": "HEX"},
+  {"regex_pattern":"((?<=[^A-Za-z0-9])|^)([\\-\\+]?\\d+)((?=[^A-Za-z0-9])|$)", "mask_with": "NUM"},
+  {"regex_pattern":"(?i)([a-f0-9]{8}(?:-[a-f0-9]{4}){3}-[a-f0-9]{12})","mask_with":"UUID"},
+  {"regex_pattern":"\\d{4}-\\d{2}-\\d{2}[ T]\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+\\-]\\d{2}:\\d{2})?","mask_with":"TS"},
+  {"regex_pattern":"\\\".*?\\\"","mask_with":"STR"},
+  {"regex_pattern":"(?<=executed cmd )(\\".+?\\")", "mask_with": "CMD"}
+]
+mask_prefix = <:
+mask_suffix = :>
+
+[DRAIN]
+sim_th = 0.4
+depth = 4
+max_children = 100
+max_clusters = 1024
+extra_delimiters = ["_"]
+
+[PROFILING]
+enabled = False
+report_sec = 30
+"""
+def build_miner():
+    cfg = TemplateMinerConfig()
+    with contextlib.redirect_stdout(sys.stderr):
+      cfg.load(StringIO(INI))
+      cfg.config_file = None
+      persistence = None
+      return TemplateMiner(persistence, cfg)
+
+def mine_summary(lines):
+    miner = build_miner()
+    counts = defaultdict(int)
+    templates = {}
+    total = 0
+
+    for raw in lines:
+        if not raw:
+            continue
+        total += 1
+        r = miner.add_log_message(raw)
+        cid = r["cluster_id"]
+        tmpl = r["template_mined"]
+        counts[cid] += 1
+        templates[cid] = tmpl
+
+    items = []
+    for cid, cnt in counts.items():
+        cov = (cnt / total * 100.0) if total else 0.0
+        items.append({"template": templates[cid], "count": int(cnt), "coverage": round(cov, 2)})
+
+    items.sort(key=lambda x: (-x["count"], x["template"]))
+    return items
+
+def main():
+    for line in sys.stdin:
+        obj = json.loads(line)
+        values = obj.get("values") or []
+        strings = [s for s in values if isinstance(s, str)]
+        result = mine_summary(strings)
+        sys.stdout.write(json.dumps({"result": result}, ensure_ascii=False) + "\n")
+        sys.stdout.flush()
+
+if __name__ == "__main__":
+    main()
diff --git a/blog-examples/log_clustering/drain3_miner_function.xml b/blog-examples/log_clustering/drain3_miner_function.xml
@@ -0,0 +1,19 @@
+<functions>
+  <function>
+    <type>executable_pool</type>
+    <name>drain3_miner</name>
+    <return_type>Array(String)</return_type>
+    <return_name>result</return_name>
+    <argument>
+      <type>Array(String)</type>
+      <name>values</name>
+    </argument>
+    <format>JSONEachRow</format>
+    <command>drain3_miner.py</command>
+    <execute_direct>1</execute_direct> 
+    <pool_size>1</pool_size>
+    <max_command_execution_time>100</max_command_execution_time>
+    <command_read_timeout>100000</command_read_timeout>
+    <send_chunk_header>false</send_chunk_header>
+  </function>
+</functions>
diff --git a/blog-examples/log_clustering/mv.sql b/blog-examples/log_clustering/mv.sql
@@ -0,0 +1,117 @@
+CREATE MATERIALIZED VIEW IF NOT EXISTS mv_logs_structured
+TO logs_structured
+AS
+SELECT
+    ServiceName,
+    /* which template matched */
+    multiIf(m1, 1, m2, 2, m3, 3, m4, 4, m5, 5, m6, 6, 7) AS TemplateNumber,
+    /* extracted fields as Map(LowCardinality(String), String) */
+    CAST(
+    multiIf(
+      m1,
+      map(
+        'date',           g1_1,
+        'time',           g1_2,
+        'service_name',   g1_3,
+        'trace_sampled',  g1_4,
+        'prod_1',         g1_5,
+        'prod_2',         g1_6,
+        'prod_3',         g1_7,
+        'prod_4',         g1_8,
+        'prod_5',         g1_9
+      ),
+      m2,
+      map(
+        'prod_1', g2_1,
+        'prod_2', g2_2,
+        'prod_3', g2_3,
+        'prod_4', g2_4,
+        'prod_5', g2_5
+      ),
+      m3,
+      map('cart_1', g3_1),
+      m4,
+      map(),                 -- pattern4 has no captures; nothing to extract
+      m5,
+      map(
+        'cart_1', g5_1,
+        'cart_2', g5_2,
+        'cart_3', g5_3
+      ),
+      m6,
+      map(
+        'remote_addr', g6_1,
+        'remote_user', g6_2,
+        'time_local', g6_3,
+        'request_type', g6_4,
+        'request_path', g6_5,
+        'request_protocol', g6_6,
+        'status', g6_7,
+        'size', g6_8,
+        'referer', g6_9,
+        'user_agent', g6_10
+      ),
+      map()                   -- else: empty map
+    ),
+    'Map(LowCardinality(String), String)'
+  ) AS Extracted
+FROM
+(
+    /* compute once per row */
+    WITH
+        '^([^\\s]+) ([^\\s]+) INFO \[main\] \[recommendation_server.py:47\] \[trace_id=([^\\s]+) span_id=([^\\s]+) resource\.service\.name=recommendation trace_sampled=True\] - Receive ListRecommendations for product ids:\[([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+)\]$' AS pattern1,
+        '^Receive ListRecommendations for product ([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+)$' AS pattern2,
+        '^[\\s]*GetCartAsync called with userId=([^\\s]+)$' AS pattern3,
+        '^info\: cart.cartstore.ValkeyCartStore\[0\]$' AS pattern4,
+        '^[\\s]*AddItemAsync called with userId=([^\\s]+), productId=([^\\s]+), quantity=([^\\s]+)$' AS pattern5,
+        '^(\S+) - (\S+) \[([^\]]+)\] "([A-Z]+)?\s*(.*?)\s*(HTTP\S+)?" (\d{3}) (\d+) "([^"]*)" "([^"]*)"$' AS pattern6
+
+    SELECT
+        *,
+        match(Body, pattern1) AS m1,
+        match(Body, pattern2) AS m2,
+        match(Body, pattern3) AS m3,
+        match(Body, pattern4) AS m4,
+        match(Body, pattern5) AS m5,
+         match(Body, pattern6) AS m6,
+        extractAllGroups(Body, pattern1) AS g1,
+        extractAllGroups(Body, pattern2) AS g2,
+        extractAllGroups(Body, pattern3) AS g3,
+        extractAllGroups(Body, pattern4) AS g4,
+        extractAllGroups(Body, pattern5) AS g5,
+        extractAllGroups(Body, pattern6) AS g6,
+
+        /* pick first (and only) match’s capture groups */
+        arrayElement(arrayElement(g1, 1), 1) AS g1_1,
+        arrayElement(arrayElement(g1, 1), 2) AS g1_2,
+        arrayElement(arrayElement(g1, 1), 3) AS g1_3,
+        arrayElement(arrayElement(g1, 1), 4) AS g1_4,
+        arrayElement(arrayElement(g1, 1), 5) AS g1_5,
+        arrayElement(arrayElement(g1, 1), 6) AS g1_6,
+        arrayElement(arrayElement(g1, 1), 7) AS g1_7,
+        arrayElement(arrayElement(g1, 1), 7) AS g1_8,
+        arrayElement(arrayElement(g1, 1), 7) AS g1_9,
+
+        arrayElement(arrayElement(g2, 1), 1) AS g2_1,
+        arrayElement(arrayElement(g2, 1), 2) AS g2_2,
+        arrayElement(arrayElement(g2, 1), 3) AS g2_3,
+        arrayElement(arrayElement(g2, 1), 4) AS g2_4,
+        arrayElement(arrayElement(g2, 1), 5) AS g2_5,
+
+        arrayElement(arrayElement(g3, 1), 1) AS g3_1,
+        arrayElement(arrayElement(g5, 1), 1) AS g5_1,
+        arrayElement(arrayElement(g5, 1), 2) AS g5_2,
+        arrayElement(arrayElement(g5, 1), 3) AS g5_3,
+
+        arrayElement(arrayElement(g6, 1), 1) AS g6_1,
+        arrayElement(arrayElement(g6, 1), 2) AS g6_2,
+        arrayElement(arrayElement(g6, 1), 3) AS g6_3,
+        arrayElement(arrayElement(g6, 1), 4) AS g6_4,
+        arrayElement(arrayElement(g6, 1), 1) AS g6_5,
+        arrayElement(arrayElement(g6, 1), 2) AS g6_6,
+        arrayElement(arrayElement(g6, 1), 3) AS g6_7,
+        arrayElement(arrayElement(g6, 1), 4) AS g6_8,
+        arrayElement(arrayElement(g6, 1), 4) AS g6_9,
+        arrayElement(arrayElement(g6, 1), 4) AS g6_10
+    FROM logs_raw
+);
diff --git a/blog-examples/log_clustering/one_table_service.sql b/blog-examples/log_clustering/one_table_service.sql
@@ -0,0 +1,167 @@
+-- Create table for nginx logs
+CREATE TABLE logs_nginx
+(
+    `remote_addr` IPv4,
+    `remote_user` LowCardinality(String),
+    `time_local` DateTime CODEC(Delta(4), ZSTD(1)),
+    `request_type` LowCardinality(String),
+    `request_path` String CODEC(ZSTD(6)),
+    `request_protocol` LowCardinality(String),
+    `status` UInt16,
+    `size` UInt32,
+    `referer` String CODEC(ZSTD(6)),
+    `user_agent` LowCardinality(String),
+     Body ALIAS format('{0} - {1} [{2}] "{3} {4} {5}" {6} {7} "{8}" "{9}"',remote_addr, remote_user, time_local, request_type, request_path, request_protocol, status, size, referer, user_agent)
+)
+ORDER BY (user_agent, remote_user, referer, request_path)
+
+
+-- Create table for recommendation service logs
+CREATE TABLE logs_service_recommendation
+(
+    TemplateNumber UInt8,
+    `date` String,
+    `time` String,
+    `service_name` Nullable(UUID),
+    `trace_sampled` Nullable(UUID),
+    `prod_1` LowCardinality(String),
+    `prod_2` LowCardinality(String),
+    `prod_3` LowCardinality(String),
+    `prod_4` LowCardinality(String),
+    `prod_5` LowCardinality(String),
+    Body ALIAS multiIf(TemplateNumber=1, format('{0} {1} INFO [main] [recommendation_server.py:47] resource.service.name={2} trace_sampled={3}] - Receive ListRecommendations for product {4} {5} {6} {7} {8}',date,time,service_name,trace_sampled,prod_1,prod_2,prod_3,prod_4,prod_5), TemplateNumber=2, format('Receive ListRecommendations for product {0} {1} {2} {3} {4}',prod_1,prod_2,prod_3,prod_4,prod_5),''))
+ORDER BY (date, prod_1, prod_2, prod_3, prod_4, prod_5)
+
+-- Create table for cart service logs
+CREATE TABLE logs_service_cart
+(
+    TemplateNumber UInt8,
+    `user_id` Nullable(UUID),
+    `product_id` String,
+    `quantity` String,
+    Body ALIAS multiIf(
+        TemplateNumber=1, format('GetCartAsync called with userId={0}',user_id),
+        TemplateNumber=2, 'info: cart.cartstore.ValkeyCartStore[0]',
+        TemplateNumber=3, format('AddItemAsync called with userId={0}, productId={1}, quantity={2}', user_id, product_id, quantity),
+        TemplateNumber=4, format('EmptyCartAsync called with userId={0}',user_id),
+        '')
+)
+ORDER BY (TemplateNumber, product_id, quantity)
+
+-- Create materialized view for nginx logs
+CREATE MATERIALIZED VIEW IF NOT EXISTS mv_logs_nginx
+TO logs_service_nginx
+AS
+SELECT
+    remote_address,
+    remote_user,
+    time_local,
+    request_type,
+    request_path,
+    request_protocol,
+    status,
+    size,
+    referer,
+    user_agent
+FROM
+(
+    WITH
+        '^(\S+) - (\S+) \[([^\]]+)\] "([A-Z]+)?\s*(.*?)\s*(HTTP\S+)?" (\d{3}) (\d+) "([^"]*)" "([^"]*)"$' AS pattern
+    SELECT
+        *,
+        match(Body, pattern) AS m1,
+        extractAllGroups(Body, pattern) AS g,
+        arrayElement(arrayElement(g, 1), 1) AS remote_address,
+        arrayElement(arrayElement(g, 1), 2) AS remote_user,
+        parseDateTimeBestEffort(arrayElement(arrayElement(g, 1), 3)) AS time_local,
+        arrayElement(arrayElement(g, 1), 4) AS request_type,
+        arrayElement(arrayElement(g, 1), 5) AS request_path,
+        arrayElement(arrayElement(g, 1), 6) AS request_protocol,
+        arrayElement(arrayElement(g, 1), 7) AS status,
+        arrayElement(arrayElement(g, 1), 8) AS size,
+        arrayElement(arrayElement(g, 1), 9) AS referer,
+        arrayElement(arrayElement(g, 1), 10) AS user_agent
+    FROM raw_logs where ServiceName='nginx'
+) WHERE m1;
+
+-- Create materialized view for recommendation service logs
+CREATE MATERIALIZED VIEW IF NOT EXISTS mv_logs_recommendation
+TO logs_service_recommendation
+AS
+SELECT
+   CASE WHEN m1 THEN 1 WHEN m2 THEN 2 ELSE 0 END AS TemplateNumber,
+   CASE when m1 THEN g1_1 ELSE NULL END AS date,
+   CASE when m1 THEN g1_2 ELSE NULL END AS time,
+   CASE when m1 THEN g1_3 ELSE NULL END AS service_name,
+   CASE when m1 THEN g1_4 ELSE NULL END AS trace_sampled,
+   CASE when m1 THEN g1_5 ELSE g2_1 END AS prod_1,
+   CASE when m1 THEN g1_6 ELSE g2_2 END AS prod_2,
+   CASE when m1 THEN g1_7 ELSE g2_3 END AS prod_3,
+   CASE when m1 THEN g1_8 ELSE g2_4 END AS prod_4,
+   CASE when m1 THEN g1_9 ELSE g2_5 END AS prod_5
+
+FROM
+(
+    WITH
+        '^([^\\s]+) ([^\\s]+) INFO \[main\] \[recommendation_server.py:47\] \[trace_id=([^\\s]+) span_id=([^\\s]+) resource\.service\.name=recommendation trace_sampled=True\] - Receive ListRecommendations for product ids:\[([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+)\]$' AS pattern1,
+        '^Receive ListRecommendations for product ([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+) ([^\\s]+)$' AS pattern2
+    SELECT
+        *,
+        match(Body, pattern1) AS m1,
+        match(Body, pattern2) AS m2,
+        extractAllGroups(Body, pattern1) AS g1,
+        extractAllGroups(Body, pattern2) AS g2,
+
+        arrayElement(arrayElement(g1, 1), 1) AS g1_1,
+        arrayElement(arrayElement(g1, 1), 2) AS g1_2,
+        arrayElement(arrayElement(g1, 1), 3) AS g1_3,
+        arrayElement(arrayElement(g1, 1), 4) AS g1_4,
+        arrayElement(arrayElement(g1, 1), 5) AS g1_5,
+        arrayElement(arrayElement(g1, 1), 6) AS g1_6,
+        arrayElement(arrayElement(g1, 1), 7) AS g1_7,
+        arrayElement(arrayElement(g1, 1), 7) AS g1_8,
+        arrayElement(arrayElement(g1, 1), 7) AS g1_9,
+
+        arrayElement(arrayElement(g2, 1), 1) AS g2_1,
+        arrayElement(arrayElement(g2, 1), 2) AS g2_2,
+        arrayElement(arrayElement(g2, 1), 3) AS g2_3,
+        arrayElement(arrayElement(g2, 1), 4) AS g2_4,
+        arrayElement(arrayElement(g2, 1), 5) AS g2_5
+    FROM raw_logs where ServiceName='recommendation'
+);
+
+-- Create materialized view for cart service logs
+CREATE MATERIALIZED VIEW IF NOT EXISTS mv_logs_cart
+TO logs_service_cart
+AS
+SELECT
+   multiIf(m1, 1, m2, 2, m3, 3, 0) AS TemplateNumber,
+   multiIf(m1, g1_1, m2, Null, m3, g3_1, m4, g4_1, Null) AS user_id,
+   multiIf(m1, '', m2, '', m3, g3_2, '') AS product_id,
+   multiIf(m1, '', m2, '', m3, g3_3, '') AS quantity
+
+FROM
+(
+    WITH
+        '^[\\s]*GetCartAsync called with userId=([^\\s]*)$' AS pattern1,
+        '^info\: cart.cartstore.ValkeyCartStore\[0\]$' AS pattern2,
+        '^[\\s]*AddItemAsync called with userId=([^\\s]+), productId=([^\\s]+), quantity=([^\\s]+)$' AS pattern3,
+        '^[\\s]*EmptyCartAsync called with userId=([^\\s]*)$' AS pattern4
+    SELECT
+        *,
+        match(Body, pattern1) AS m1,
+        match(Body, pattern2) AS m2,
+        match(Body, pattern3) AS m3,
+        match(Body, pattern4) AS m4,
+        extractAllGroups(Body, pattern1) AS g1,
+        extractAllGroups(Body, pattern2) AS g2,
+        extractAllGroups(Body, pattern3) AS g3,
+        extractAllGroups(Body, pattern4) AS g4,
+
+        arrayElement(arrayElement(g1, 1), 1) AS g1_1,
+        arrayElement(arrayElement(g3, 1), 1) AS g3_1,
+        arrayElement(arrayElement(g3, 1), 2) AS g3_2,
+        arrayElement(arrayElement(g3, 1), 3) AS g3_3,
+        arrayElement(arrayElement(g4, 1), 1) AS g4_1
+    FROM raw_logs where ServiceName='cart'
+);
