Eql Sampling

[astefan]

A sample searches for events matching the declared filters in all possible permutations. The result of a sample is identical in structure with the one of a sequence, but for each combination of join key values, if there is at least one match, the result will contain only one events combination matching the sample (as opposed to sequences where all results are returned).

[costin]

Left some comments.

[costin]

tiebreaker() could be cached and the condition evaluated outside the loop - just like the previous change.

[costin]

Join and Sampling share common properties so it makes sense to reuse code between them however due to the difference in semantics, it's better the classes don't extend one another.
Sequence extends Join so if Join extends Sampling it means Sequence is a type of sampling.
Also Join currently exists as a logical plan without being exposed in the query .
My suggestion is to extract the common join properties into a separate class (say AbstractJoin) and keep Sequence/Join separately from Sample.

[costin]

Sample I think works better than sampling - we use sequence as oppose to sequencing, join instead of joining.

[costin]

Use EQL exceptions to wrap the underlying exception - adds consistency and proper handling.

[costin]

singleKeyPair

[costin]

multipleKeyPairs

[costin]

Better to make this static and parameterize it - not for performance but to indicate that it copies any given source as oppose to copying the existing source and then returning a new instance.
Make the copy/modify/reassign code flow better.

[costin]

A common base Criterion class which contains the keys, key extraction and the key size is useful not just in sharing code but also in ExecutionManager.

[costin]

Left another round of comments.

[costin]

A better name might be samples (since sampling means the process of selecting the sample).

[costin]

Why is this relevant only for the Sequence but not for Sample?

[astefan]

Because in a Sample there is no notion of limit (so far at least) and what this is doing is to add a limit plan to the tree.

[Luegg]

does that mean that fetch_size is ignored for sample? Is there a global limit for join keys then or will sample just always return all the keys?

[astefan]

fetch_size is different. What you probably meant is size. And yes, for now, there is no limit and it will return all keys.

I will add fetch_size support in a new commit. This one is about the size of the results page returned by the composite aggregation and it has a very similar meaning in sequences as well.

[Luegg]

yes, I had size in mind. Isn't support for size somewhat crucial? Otherwise a query might easily OOM due to too many samples.

[costin]

+1 on addressing limit/size in a separate PR if it's non-simplistic - this one is already quite big.
Potentially open a separate branch from sample to avoid any impact on releases.

[costin]

SampleCriterion extends Criterion<AggregatedQueryRequest>
Since the AggregatedQueryRequest is not used anywhere else it could be renamed to SampleQueryRequest.

[costin]

SequenceCriterion extends Criterion<BoxedQueryRequest>

[costin]

final var hits = ..

[costin]

could use better names to avoid the comments - int reponseIndex / currentResponse, int groupIndex, currentGroup

[costin]

var next = page.size() == MAX_PAGE_SIZE ? page : stack.pop(); log.trace("Final stage... getting next page of the " + (next == page ? "current" : "previous") + " page"); nextPage(listener, next); 

[costin]

Does it make sense to introduce a new type for Sample?

[astefan]

It may make sense in the future, not sure. I added it. But the payload is still a List of Sequences (the result of a Sample has an identical structure to a Sequence) and it's a bit more involved to add a Sample payload.

[costin]

This seems better suited as a logical optimization rule as a oppose to a folding one.

[astefan]

Actually, this is a leftover from one of the initial ideas on how to introduce bucket extractors. The name of this rule is a misnomer, it doesn't actually propagate the composite keys, but more creating extractors. I've removed this rule, the logic that's adding the extractors is in ExecutionManager.

[elasticmachine]

Pinging @elastic/es-ql (Team:QL)

[elasticsearchmachine]

Hi @astefan, I've created a changelog YAML for you.

[astefan]

@elasticmachine update branch

[luigidellaquila]

This class does not seem to have much meaning after this refactoring, probably we can just remove it.

[astefan]

Actually, I've moved to this class a common part of SampleCriterion and SequenceCriterion - the keySize.

[Luegg]

Lots to digest here so I'm only leaving some preliminary comments for now.

[Luegg]

I think Stream.allMatch would help a lot here to communicate the intent. As in:

 boolean shouldLoadData = Arrays.stream(index.split(",")) .allMatch( indexName -> provisioningClient.performRequest(new Request("HEAD", "/" + unqualifiedIndexName(indexName))) .getStatusLine() .getStatusCode() == 200 ); 

[Luegg]

I think this could be clearer if this logic is pushed to idField(). The default implementation can return tiebreaker() and EqlSampleTestCase.idField() stays as is.

[Luegg]

Why is tiebreaker not used for sampling queries?

[astefan]

In general, a sample has no sense of chronological status. A sample is an unordered sequence of events and, in a way, is a less restrictive sequence.

In this particular case (EqlSampleTestCase) the id (which should be unique for all documents in the testing scenario) makes more sense for identifying the matching documents than a tiebreaker.

[Luegg]

One case I'm missing (and currently fails) is a sample without a join key as in sample [any where true] [any where true].

[Luegg]

another one is composition with head/tail. It looks like these two are ignored.

[astefan]

You're right. I'll add them.

[astefan]

@Luegg thinking about this some more, samples do not make sense without a join key. Without the restriction of chronological order and without an element that ties the two events together (the join key), the returned events are just a collection of random (technically not random) events.
I've added 0-join keys as a restriction.
Same for head and tail (or pipes in general) - a limitation for the moment. head and tail may be part of the size/limit story but these details haven't been ironed out yet.

[Luegg]

Suggested change

	hasJoin.set(hasJoin.get() || plan.anyMatch(Sample.class::isInstance));
	boolean hasJoin = plan.anyMatch(AbstractJoin.class::isInstance)

[astefan]

I've done it the way it is in the PR because the first anyMatch is already traversing the tree and I wanted to take advantage of that step and not do the traversal twice in all cases.

[Luegg]

payload can be inlined and the curly braces of the lambda can be dropped

[Luegg]

"stage" and "criteria" seems to be used interchangeably. I think it would be easier to understand if only one of the two terms is used in the code base. Stage is quite an overloaded term.

[Luegg]

The use of "key" and "value" is somewhat inconsistent which makes it hard to follow what's being passed. As far as I understand, values is a list of join keys and previousCriterionKeys is the list of join key field names. Also, on the call site both arguments are referred to as just "keys": request.multipleKeyPairs(previousCriterion.keys(previousResults.hits), previousResults.keys).

[astefan]

In general, "key" is the name of the field, "value" is its value.

[Luegg]

does that mean that fetch_size is ignored for sample? Is there a global limit for join keys then or will sample just always return all the keys?

[Luegg]

Maybe it would be easier to create new search source builders from scratch instead of hacky copy. This way it would also be more explicit what needs to end up in the source for the according query. E.g. currently it also inherits the fields from the original query which is not really needed as far as I understand.

[astefan]

When I took the decision on hacky copying the source, I realized it was close to impossible to copy a SearchSourceBuilder because of queryBuilder (which has many implementations). You'd have to copy a BoolQueryBuilder and ExistsQueryBuilder and other possible such builders we use in functions and operators.

[astefan]

@elasticmachine update branch

[astefan]

@elasticmachine run elasticsearch-ci/part-2

[astefan]

@elasticmachine run elasticsearch-ci/docs-check

[luigidellaquila]

Adding some comments

[luigidellaquila]

This can be avoided by making request final (it's never reassigned)

[luigidellaquila]

Suggested change

	if (nextPage != null && nextPage.size() > 0) {
	if (nextPage.size() > 0) {

nextPage cannot be null here

[luigidellaquila]

If I'm not wrong, this logic is exactly the same as nextPage() (apart from the log message), probably it's worth extracting it as a method and use it in both contexts

[luigidellaquila]

Are values conceptually Sequences?
Structurally, for transport purposes, Sequence does the job, even though the events are supposed to be a Set (not a List).
Just wondering if it makes sense to keep the two concepts separate and have a specialized EqlSearchResponse.Sample

[astefan]

Yes, the response of a "sample" is identical in structure with the one of a "sequence".

[luigidellaquila]

Can these search hits contain duplicates in practice?
It makes sense to test the algorithm in this case as well, just wondering if the algorithm can be simplified if it's not true (ie. avoid the backtracking by sorting the searchHits lists by size)

[luigidellaquila]

I thought a bit about this, IMHO we should not test duplicates here. They are not allowed by construction (each query in the final reduce step should not produce duplicates), and they would also invalidate the general approach (ie. if you had duplicates, you could not rely on size=n and terminate_after=n in the final queries, without losing results).
The backtracking algorithm tolerates duplicate results, but IMHO it can be improved, and this test could fail with a different, yet valid, algorithm that does not tolerate duplicates.

[luigidellaquila]

Probably we can use List<Set<SearchHit>> here. It would make some operations faster (ie. contains()) and it would make the intention more clear.

[astefan]

I don't think a Set can be used here. The order of each sub-list of SearchHits should be kept. Each sub-list matches one filter of the query. The position of the SearchHit should correspond to the position of the query filter.

[luigidellaquila]

Isn't the order of requests kept in the first List...? The Set contains the results for a single query filter, that should not be so relevant as long as you can decide which filter you run first

[astefan]

You're right. That order shouldn't matter.

[costin]

LGTM! This looks great!

[costin]

👍 for using """

[costin]

nit - the ternary expression makes this a one-liner: return frequently() ? 2 : super.requestFetchSize()

[costin]

+1 on addressing limit/size in a separate PR if it's non-simplistic - this one is already quite big.
Potentially open a separate branch from sample to avoid any impact on releases.

[costin]

Please create an issue for it so it doesn't get lost.

[costin]

Nit, switch the check: check on Sample and return it otherwise fallback to the existing code - less code modified.

[rw-access]

hey @astefan! it's been a while! 🙂
cool feature, looks similar to Endgame EQL join but without all the baggage that word brings, so I'm glad to see the name change.

I think it behaves how I would intuitively expect, just want to double check one property: how are the resulting events ordered? Is it (1) in declaration order, parallel to the structure of the query? Or is it (2) chronological order, not mirroring the structure.

I can understand arguments for both, and I think (1) makes the most intuitive sense to me and that was how the Endgame join syntax behaved. From a quick glance, it looks like this is the current behavior, which sounds like the right call.

Glad to see this happen, it's exciting!

[astefan]

hey @rw-access. Nice to see you in the PR :-) and thank you for the interest.
The events mirror the structure of the query. The position of one event corresponds to the same position of the filter it is matching.

[rw-access]

excellent! that's what it looked like. nice work with the feature!

[bpintea]

Impressive work, LGTM!

[bpintea]

Nit: might be nice to extract this value into a constant. Also, I guess a doc PR will follow.

Then, given the "narrowing" nature of the keys-searching algorithm and capped composite page size (vs. just permutations search), it might be too conservative. But I guess that's future work.

[bpintea]

Not strictly related to this line: I understand that the sample has practically the same format as a sequence and that a sample is a list of Sequences, but the result isn't a sequence at all - the order of events is influenced by the order of the rules, but that's an implementation detail - so I'd find it natural for the result to reflect that: i.e. the result's hits should contain samples instead of sequences, imo. Otoh, keeping it like this might be easier to implement by the clients.

[bpintea]

The varadic argument is provided nowhere.

[astefan]

Nice catch! I've removed it.

[bpintea]

Optional alternative: do away with false == ... by renaming var to dataLoaded.

[bpintea]

nit: method's only called here, could be replaced by assertBadRequest(..., 400)

[bpintea]

criteria

[luigidellaquila]

LGTM, great work!

[astefan]

@elasticmachine update branch