Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Resolved
-
None
-
None
Description
The nodes Streaming Expression performs a breadth first graph traversal. This ticket will add a window parameter to allow the nodes expression to traverse the graph within a window of time.
To take advantage of this feature you must index the content with a String field which is an ISO timestamp truncated at ten seconds. Then the window parameter can be applied to walk the graph within a window prior to a specific ten second window and perform aggregations.
The main use cases for this feature are event correlation and root cause analysis. This is useful in many different fields.
Here is an example using Solr logs to answer the following question:
What types of log events occur most frequently in the 30 second window prior to 10 second windows with the most slow queries:
nodes(logs,
facet(logs, q="qtime_s:[5000 TO *]", buckets="time_ten_seconds", rows="25"),
walk="time_ten_seconds->time_ten_seconds",
window="3",
gather="type_s",
count(*))
This ticket is phase 1. Phase 2 will auto-detect different ISO Timestamp truncations so that increments of one second, one minute, one day etc... can also be traversed using the same query syntax. There will be a follow-on ticket for that after this ticket is completed. This will create a more general purpose time graph.