Log categories

[katrin-freihofner]

Summary of the problem (If there are multiple problems or use cases, prioritize them)
As a user I want to investigate

• logs per category
• rare log messages(we are going to focus on categories for now)

Filter/Search option
Search for free text
Filter timestamp and dataset

Next steps

Prep

• analyze available example data in kibana dashboard
• get use cases and requirements docu

Design

• create a basic user flow diagram(exploratory use case, therefore this is not needed)
• create wireframes (low-fi) for each of the main usecases
• think about licensing
• think about the experience for new users
• grok patterns vs. more specific log lines -> will be covered in latest mockups (comment from 11-11-2019)
• do we need to show example logs? Where and how? -> The first version of this feature will be without any examples.
• how could we show a trend?

Implementation
elastic/kibana#42776

[katrin-freihofner]

WIP

Layout

Categories

a)

b)

Rare logs

[weltenwort]

This is a great start, thank you.

Looking at the mock-ups lots of questions come to mind about the semantics of the chart, the column headers, the search bar and a few more. There's a lot of room for interpretation, so I feel I should wait until you're ready to give a walk-through and give a few details on those aspects.

[katrin-freihofner]

Notes from yesterdays zoom meeting:

• We will focus on categories for now (in both, design and development)
• We will show a table/list of top categories (top 25) by message count
• Additionally, we are going to show the max anomaly score or the no. of (severe) anomalies in the table
• the table can be sorted (+pagination)
• indicate dataset (it's rare, but one cat. could have multiple datasets)
• We are going to work on a visualization of the grok pattern/regex that is easy to grasp (messages can be very long)
• Categories will have context actions
• show sparklines/trends of categories

Next

• Show examples for categories
• Examples can have context actions

[katrin-freihofner]

A quick sketch of how the things we agreed on (see comment above) could look like

[weltenwort]

That looks great. What does the "+201" besides the sparkline mean?

[katrin-freihofner]

"+ 201 messages compared to the previous timeframe"

I think a number added to the sparkline could make sense, especially to indicate tiny changes? What is your opinion on that?

[weltenwort]

So you mean it's the difference between the displayed count (calculated by summing over the values in (startTime, startTime + timeframeDuration)) and the sum over the values within (startTime - timeframeDuration, startTime)?

[katrin-freihofner]

I'm thinking about adding a visual indicator for the dataset.

[jasonrhodes]

I like where this is headed -- have we considered using the non regex version of the pattern? I think they are both pretty similar in information but losing all of the .+? characters would make it much easier to parse at a glance, I think...

[katrin-freihofner]

I like where this is headed -- have we considered using the non regex version of the pattern? I think they are both pretty similar in information but losing all of the .+? characters would make it much easier to parse at a glance, I think...

Yes, this is still an open point (see checkboxes in the issue description)

[tbragin]

@katrin-freihofner Thank you for capturing the notes (sorry I didn't get to it quickly enough). I like this direction as well!

[katrin-freihofner]

In yesterdays meeting we review the mockup above and will continue as follows:

• The dataset should get it's own column
• The ML setup for categories could be separate from log rate (at least for now). We will use the simplest setup possible which will look quite the same as for the log rate tab.
• We want to try to color code the ML score
• Try to use our ned EUI datagrid
• The number (+20%) indicating trend not obvious how to interpret? Could be explained via a tooltip.
• We could skip the search for the first iteration

Context actions

• Analyze in ML
• Expand examples

Rare messages will be handled in a follow up issue.

[katrin-freihofner]

Preview ;)

Missing:

• the pattern visualization
• any context actions (Examples...)
• Setup

...if the setup is the same as in Log rate, I'm wondering if we need any mockups. 🤔

[weltenwort]

That looks awesome IMHO ❤️ I think the colored datasets in the table are useful to pattern-match visually.

Should the dataset badges in the filter area have visible/hidden icons?

We talked about a "Analyse in ML" button on the panel header akin to the log rate page. Just mentioning so we don't forget 😉

The number (+20%) indicating trend not obvious how to interpret? Could be explained via a tooltip.

The tooltip could show the actual values, e.g.

previous ~1h: 123
current ~1h: 321

if the setup is the same as in Log rate, I'm wondering if we need any mockups

I think we don't need them in this case. Where do we want to put the warning callouts on the page? Beneath the panel header?

[sophiec20]

Looks good.

Do we have an idea of typical length of category (even against our current example data)? I wonder if we may need to wrap the category rather than truncate.

I'm not sure I see that value in the (+20%) number. There could be drops and peaks in the count which gives a net zero change. Picking 1h may not be optimal for showing an issue. I think that the spark line indicates trend better. This ties in with below..

Regarding the spark line, if the time picker is selected for "last 15m" then the spark line ideally extends back further in time. What are the thoughts here? We would only have one data point to plot if set to last 15m. Perhaps we could go back last 10 buckets if range of time picker is small?

[weltenwort]

We would only have one data point to plot if set to last 15m. Perhaps we could go back last 10 buckets if range of time picker is small?

Good point. I wonder how we can include more data, though, without adding an x-axis and still being intuitive.

[katrin-freihofner]

@weltenwort

I think we don't need them in this case. Where do we want to put the warning callouts on the page? Beneath the panel header?

Yes, exactly

We talked about a "Analyse in ML" button on the panel header akin to the log rate page. Just mentioning so we don't forget

Good point, thank you!

@sophiec20

I'm not sure I see that value in the (+20%) number. There could be drops and peaks in the count which gives a net zero change. Picking 1h may not be optimal for showing an issue. I think that the spark line indicates trend better. This ties in with below..

I think it has it's value. First of all, it helps us accessibility-wise. Additionally, minor changes and also extreme changes will be much easier to spot.

[katrin-freihofner]

Latest update

Felix currently helps me figuring out what's the best way to include context actions to the data grid.

https://www.figma.com/file/T08kdh6YQcVCx1tzljqNHF/Logs-ML-Integration?node-id=0%3A1

[katrin-freihofner]

After our discussion in yesterday's design weekly, we are back to the table. The main reason is that data grid currently only allows columns with equal width and we definitely want to have more space for the log message/category.

[katrin-freihofner]

Following our discussions at EAH I updated the following:

• pattern visualization (single *)
• Placement of actions button
• adding dataset column

Which leads us to (without examples)

...and (with examples)

[roncohen]

@katrin-freihofner I see the little blue thing moved to the right and is now overlayed on the message field :)
Is that also the direction we're going on the "Stream" page? we should make sure it's consistent

[katrin-freihofner]

@katrin-freihofner I see the little blue thing moved to the right and is now overlayed on the message field :)
Is that also the direction we're going on the "Stream" page? we should make sure it's consistent

@roncohen sure, it needs to be consistent with the stream view. To be honest, I'm not sure if we should move it to the right, or keep it left. Also, as it really stands out, therefore I think it's fine either way.

[mark54g]

Quick question on the filter section of the UI.

Will this update make the behavior similar to discover with the + and - ?

[weltenwort]

@mark54g what behavior in discover are you referring to? This is about showing the top N message patterns derived from the log messages via the ml categorization feature.

[mark54g]

@weltenwort -
In discover, you can take messages and add fields to do positive/negative filtering
It would be good to have similar functionality in the logs UI

[tbragin]

@mark54g We have this functionality in the Logs >> Stream app.

Finding it is a bit of a different story, you have to mouse over an entry and you'll see a little blue indicator on the right, which brings out a fly out. We are trying to improve that experience

[mark54g]

Thanks @tbragin
I just recall someone mentioning having that consistency would be wonderful (keeping it similar to Discover)

[tbragin]

@mark54g Ok. Happy to discuss, but let's take it to a separate issue, since it's unrelated to log categories feature we're discussing here. Btw, Discover UX is going to change to be based on the EUI datagrid (link), so the plus / minus controls are not going to be there after that overhaul.

[mark54g]

Sorry. Will do