<a href="https://colab.research.google.com/github/AlisonJD/tb_examples/blob/main/Publish_SQL_based_endpoints_on_NGINX_log_analysis.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Publish SQL-based endpoints on NGINX log analysis

Based on Tinybird blog post:

https://blog.tinybird.co/2021/01/28/nginx-log-analysis/

In [1]:
#@title Mount your Google Drive to save and use local files
from google.colab import drive
drive.mount('/content/gdrive', force_remount=False)

% cd "/content/gdrive/My Drive/Colab Notebooks/Tinybird/tb_examples"

Drive already mounted at /content/gdrive; to attempt to forcibly remount, call drive.mount("/content/gdrive", force_remount=True).
/content/gdrive/My Drive/Colab Notebooks/Tinybird/tb_examples


In [2]:
#@title Install Tinybird CLI, utilities and your token
!pip install tinybird-cli -q
!sudo apt-get install jq

import os
import re

if not os.path.isfile('.tinyb'):
  !tb auth

if not os.path.isdir('datasources'):
  !tb init

Reading package lists... Done
Building dependency tree       
Reading state information... Done
jq is already the newest version (1.5+dfsg-2).
0 upgraded, 0 newly installed, 0 to remove and 40 not upgraded.


In [3]:
#@title Helper function to write to files
def write_text_to_file(filename, text):
  with open(filename, 'w') as f: f.write(text)

# Worked Example from Blog: 
##Publish SQL-based endpoints on NGINX log analysis

Tinybird can be used to analyze datasets like logs.

Here we use Tinybird to:
 - analyze NGINX logs
 - publish SQL queries as API endpoints

We also show you how to model your Data Sources and API Endpoints to make them faster.


## 1. Build the Data Source from a Sample NGINX Log
Ingest the CSV and transform the columns.

In [4]:
!tb datasource generate https://raw.githubusercontent.com/tinybirdco/log_parsing_template/main/access.log.csv --force

[92m** Generated datasources/access_log.datasource
** => Create it on the server running: $ tb push datasources/access_log.datasource
** => Append data using: $ tb datasource append access.log https://raw.githubusercontent.com/tinybirdco/log_parsing_template/main/access.log.csv`
[0m


In [5]:
!tb datasource rm access_log
!tb push datasources/access_log.datasource --force

[93mDo you want to delete access_log? Once deleted, it can't be recovered[0m [y/N]: y
[92m** Data Source 'access_log' deleted[0m
[0m** Processing datasources/access_log.datasource[0m
[0m** Building dependencies[0m
[0m** Running access_log [0m
[92m** 'access_log' created[0m
[0m** Not pushing fixtures[0m


In [6]:
!tb datasource append access_log 'https://raw.githubusercontent.com/tinybirdco/log_parsing_template/main/access.log.csv'

[0m** 🥚 starting import process[0m
[92m** 🐥 done[0m
[92m** Total rows in access_log: 67351[0m
[92m** Data appended to Data Source 'access_log' successfully![0m
[0m** Data pushed to access_log[0m


Looking at a single record, we see that we need to add column names and extract information from columns.

In [7]:
!tb sql "select * from access_log limit 1"

---------------------------------------------------------------------
[1;32mcolumn_00:[0m 10.86.160.14
[1;32mcolumn_01:[0m -
[1;32mcolumn_02:[0m -
[1;32mcolumn_03:[0m [19/Jan/2021:06:25:37
[1;32mcolumn_04:[0m +0000]
[1;32mcolumn_05:[0m GET /v0/pipes/pro__ct___v0.json?id_c=18&token=XYZ HTTP/1.1
[1;32mcolumn_06:[0m 200
[1;32mcolumn_07:[0m 455
[1;32mcolumn_08:[0m -
[1;32mcolumn_09:[0m Apache-HttpClient/4.5.10 (Java/11.0.8)
---------------------------------------------------------------------


Let's do that with a Pipe:

In [8]:
filename="pipes/access_log_transform.pipe"
text='''
DESCRIPTION extract column data from raw access log and name columns
NODE extract_column_data
SQL >
    select
        IPv4StringToNum(column_00) as ip,
        parseDateTimeBestEffort(replaceOne(substring(column_03, 2), ':', ' ')) as time,
        splitByChar(' ', column_05) as tt,
        tt[1] as method,
        tt[2] as path,
        tt[3] as protocol,
        column_06 as status_code,
        column_07 as bytes,
        column_09 as user_agent
    from access_log
'''

write_text_to_file(filename, text)

!tb push pipes/access_log_transform.pipe --force

[0m** Processing pipes/access_log_transform.pipe[0m
[0m** Building dependencies[0m
[0m** Running access_log_transform [0m
[92m** => Test endpoint at https://api.tinybird.co/v0/pipes/access_log_transform.json[0m
[92m** 'access_log_transform' created[0m
[0m** Not pushing fixtures[0m


In [9]:
!tb sql "select * from access_log_transform limit 1"

-----------------------------------
[1;32mip:[0m 769996434
[1;32mtime:[0m 2021-01-19 06:48:04
[1;32mtt:[0m ['POST', '/HNAP1/', 'HTTP/1.0']
[1;32mmethod:[0m POST
[1;32mpath:[0m /HNAP1/
[1;32mprotocol:[0m HTTP/1.0
[1;32mstatus_code:[0m 301
[1;32mbytes:[0m 194
[1;32muser_agent:[0m -
-----------------------------------


## 2. Publish an Endpoint
Create an Endpoint for the number of requests and average bytes for each IP address. An Endpoint can be consumed by your data products.

In [10]:
filename="pipes/requests_per_endpoint.pipe"
text='''
DESCRIPTION requests per endpoint
NODE grouping
SQL >
    %
    SELECT
        ip,
        count() AS request_count,
        avg(bytes) as avg_bytes
    FROM access_log_transform
    GROUP BY ip
    ORDER BY request_count DESC

NODE endpoint
SQL >
    select IPv4NumToString(ip) as ip_address,
           request_count,
           avg_bytes
    from grouping
'''

write_text_to_file(filename, text)

!tb push pipes/requests_per_endpoint.pipe --force

[0m** Processing pipes/requests_per_endpoint.pipe[0m
[0m** Building dependencies[0m
[0m** Running requests_per_endpoint [0m
current https://api.tinybird.co/v0/pipes/requests_per_endpoint.json?
    new https://api.tinybird.co/v0/pipes/requests_per_endpoint__checker.json? ... ok
current https://api.tinybird.co/v0/pipes/requests_per_endpoint.json?
    new https://api.tinybird.co/v0/pipes/requests_per_endpoint__checker.json? ... ok
[92m** => Test endpoint at https://api.tinybird.co/v0/pipes/requests_per_endpoint.json[0m
[92m** 'requests_per_endpoint' created[0m
[0m** Not pushing fixtures[0m


In [11]:
TOKEN = !cat ../.tinyb | jq .token 
TOKEN = re.search(r'\"(.*?)\"', TOKEN[0]).group()[1:-1]

In [12]:
!curl https://api.tinybird.co/v0/pipes/requests_per_endpoint.json?token=$TOKEN |head -n 24

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6631  100  6631    0     0  15420      0 --:--:-- --:--:-- --:--:-- 15385
{
	"meta":
	[
		{
			"name": "ip_address",
			"type": "String"
		},
		{
			"name": "request_count",
			"type": "UInt64"
		},
		{
			"name": "avg_bytes",
			"type": "Float64"
		}
	],

	"data":
	[
		{
			"ip_address": "10.86.160.21",
			"request_count": 39624,
			"avg_bytes": 438.6311326468807
		},


In [13]:
!curl https://api.tinybird.co/v0/pipes/requests_per_endpoint.json?token=$TOKEN |tail -n 16

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6631  100  6631    0     0  15565      0 --:--:-- --:--:-- --:--:-- 15565
		{
			"ip_address": "209.141.60.10",
			"request_count": 1,
			"avg_bytes": 264
		}
	],

	"rows": 71,

	"statistics":
	{
		"elapsed": 0.002939912,
		"rows_read": 67351,
		"bytes_read": 1686164
	}
}


In [14]:
!tb sql "SELECT count() FROM requests_per_endpoint"

-----------
| [1;32mcount()[0m |
-----------
|      71 |
-----------


In [15]:
!tb sql "SELECT uniqExact(ip) from access_log_transform"

-----------------
| [1;32muniqExact(ip)[0m |
-----------------
|            71 |
-----------------


## 3. Create a Real-Time Endpoint using a Materialized View
For Endpoints serving real-time dashboards, where the user can pick, for example, different date ranges or add filters, it is unacceptable to have to wait. If we had millions of entries a day, the generated endpoints wouldn’t be as fast as needed.

The solution is to use a materialized view.

In [16]:
filename="pipes/requests_per_endpoint_mv.pipe"
text='''
DESCRIPTION materialized view
NODE matview
SQL >
    SELECT
        ip,
        countState() AS request_count,
        avgState(bytes) as avg_bytes
    FROM access_log_transform
    GROUP BY ip

TYPE Materialized
DATASOURCE requests_per_endpoint_ds
'''

write_text_to_file(filename, text)

filename="datasources/requests_per_endpoint_ds.datasource"
text='''
DESCRIPTION materialized view
SCHEMA >
    ip UInt32,
    request_count AggregateFunction(count),
    avg_bytes AggregateFunction(avg, Int32)

ENGINE AggregatingMergeTree
ENGINE_SORTING_KEY ip
'''

write_text_to_file(filename, text)

- The materialized view Pipe uses `countState` and `avgState` for the intermediate states. The Data Source has `AggregateFunction` data types to store those intermediate states.
- The Engine is not the regular `MergeTree` but instead an `AggregatingMergeTree` that tells ClickHouse to aggregate columns on merge operations.
- The sorting key tells ClickHouse which column is used for grouping.

In [17]:
!tb push pipes/requests_per_endpoint_mv.pipe --populate --force

[0m** Processing pipes/requests_per_endpoint_mv.pipe[0m
[0m** Building dependencies[0m
[0m** Running requests_per_endpoint_mv [0m
[0m** Materialized node 'matview' used the Data Source 'requests_per_endpoint_ds'[0m
[0m** Populating job url https://api.tinybird.co/v0/jobs/8c38a5db-0813-42fd-a240-ecb6c5c973ae[0m
[92m** 'requests_per_endpoint_mv' created[0m
[0m** Not pushing fixtures[0m



`--populate` loads the materialized view with the data already in `access_log_transform`

In [18]:
!tb sql "select uniqExact(ip) from requests_per_endpoint_ds" --stats

[0m** Query took 0.000808764 seconds
** Rows read: 100
** Bytes read: 400 bytes[0m
-----------------
| [1;32muniqExact(ip)[0m |
-----------------
|            71 |
-----------------


If we push new data with new IP addresses, the number of rows will rise but if we compare this to the number of rows in the original table, working with this view will be much faster.

Note that this view is updated when you append new data, it does not need to recalculate with all the data - thanks to the intermediate states.

In [26]:
filename="pipes/requests_per_endpoint_fast.pipe"
text='''
DESCRIPTION requests per endpoint fast
NODE grouping
SQL >
    %
    SELECT
        ip,
        countMerge(request_count) AS request_count,
        avgMerge(avg_bytes) as avg_bytes
    FROM requests_per_endpoint_ds
    GROUP BY ip
    ORDER BY request_count DESC

NODE endpoint
SQL >
    select IPv4NumToString(ip) as ip_address,
           request_count,
           avg_bytes
    from grouping
'''

write_text_to_file(filename, text)

!tb push pipes/requests_per_endpoint_fast.pipe --force --no-check

[0m** Processing pipes/requests_per_endpoint_fast.pipe[0m
[0m** Building dependencies[0m
[0m** Running requests_per_endpoint_fast [0m
[92m** => Test endpoint at https://api.tinybird.co/v0/pipes/requests_per_endpoint_fast.json[0m
[92m** 'requests_per_endpoint_fast' created[0m
[0m** Not pushing fixtures[0m


In [27]:
!curl https://api.tinybird.co/v0/pipes/requests_per_endpoint.json\?token\=$TOKEN | jq .statistics

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6631  100  6631    0     0  14415      0 --:--:-- --:--:-- --:--:-- 14383
[1;39m{
  [0m[34;1m"elapsed"[0m[1;39m: [0m[0;39m0.003172514[0m[1;39m,
  [0m[34;1m"rows_read"[0m[1;39m: [0m[0;39m67351[0m[1;39m,
  [0m[34;1m"bytes_read"[0m[1;39m: [0m[0;39m1686164[0m[1;39m
[1;39m}[0m


In [28]:
!curl https://api.tinybird.co/v0/pipes/requests_per_endpoint_fast.json\?token\=$TOKEN | jq .statistics

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6686  100  6686    0     0  15195      0 --:--:-- --:--:-- --:--:-- 15195
[1;39m{
  [0m[34;1m"elapsed"[0m[1;39m: [0m[0;39m0.000591102[0m[1;39m,
  [0m[34;1m"rows_read"[0m[1;39m: [0m[0;39m71[0m[1;39m,
  [0m[34;1m"bytes_read"[0m[1;39m: [0m[0;39m9612[0m[1;39m
[1;39m}[0m


The new API Endpoint using the materialized view is faster and reads far less data.

Materialized views could be used for:

- unique ip addresses by day: 
```
select toDate(time) day, uniqState(ip_address) uniq_ip 
from access_log 
group by day
```
- percentile 95 of payload size per hour:
```
select toStartOfHour(time) hour, quantileState(0.95)(ip_address) q95
from access_log_transform 
group by hour
```
- requests per month: 
```
select toStartOfMonth(time) month, countState() requests_count 
from access_log_transform 
group by month
```

