[HDX-3964] Add event pattern mining to CLI (Shift+P)

[wrn14897]

Summary

Adds a pattern mining feature to the CLI, accessible via Shift+P. This mirrors the web app's Pattern Table functionality but runs entirely in TypeScript — no Pyodide/Python WASM needed.

Linear: https://linear.app/hyperdx/issue/HDX-3964

What changed

1. Drain library in common-utils (packages/common-utils/src/drain/)

Ported the browser-drain TypeScript library into @hyperdx/common-utils. This is a pure TypeScript implementation of the Drain3 log template mining algorithm, including:

• TemplateMiner / TemplateMinerConfig — main API
• Drain — core algorithm with prefix tree and LRU cluster cache
• LogMasker — regex-based token masking (IPs, numbers, etc.)
• LruCache — custom LRU cache matching Python Drain3's eviction semantics
• 11 Jest tests ported from the original node:test suite

2. CLI pattern view (packages/cli/src/components/EventViewer/)

Keybinding: Shift+P toggles pattern view (pauses follow mode, restores on exit)

Data flow (mirrors web app's useGroupedPatterns):

• Issues SELECT ... ORDER BY rand() LIMIT 100000 to randomly sample up to 100K events
• Issues parallel SELECT count() to get true total event count
• Feeds sampled log bodies through the TypeScript TemplateMiner
• Estimates pattern counts via sampleMultiplier = totalCount / sampledRowCount
• Computes time-bucketed trend data per pattern

UI:

• Pattern list with columns: Est. Count (with ~ prefix), Pattern
• l/Enter expands a pattern to show its sample events (full table columns)
• h/Esc returns to pattern list
• j/k/G/g/Ctrl+D/Ctrl+U navigation throughout
• Loading spinner while sampling query runs

Alias fix: Pattern and count queries compute WITH clauses from the source's defaultTableSelectExpression so Lucene searches using aliases (e.g. level:error where level is an alias for SeverityText) resolve correctly.

New files

• packages/common-utils/src/drain/ — 7 source files + barrel index
• packages/common-utils/src/__tests__/drain.test.ts
• packages/cli/src/components/EventViewer/usePatternData.ts
• packages/cli/src/components/EventViewer/PatternView.tsx
• packages/cli/src/components/EventViewer/PatternSamplesView.tsx

Modified files

• packages/cli/src/api/eventQuery.ts — added buildPatternSampleQuery, buildTotalCountQuery, buildAliasWithClauses
• packages/cli/src/components/EventViewer/EventViewer.tsx — wired in pattern state + rendering
• packages/cli/src/components/EventViewer/useKeybindings.ts — added P, l, h keybindings + pattern/sample navigation
• packages/cli/src/components/EventViewer/SubComponents.tsx — added P to help screen

Demo

Screen.Recording.2026-04-10.at.6.06.18.PM.mov

[github-actions]

🔴 Tier 4 — Critical

Touches auth, data models, config, tasks, OTel pipeline, ClickHouse, or CI/CD.

Why this tier:

• Large diff: 1837 lines changed (threshold: 1000)

Review process: Deep review from a domain expert. Synchronous walkthrough may be required.
SLA: Schedule synchronous review within 2 business days.

Stats

• Files changed: 21
• Lines changed: 1837 (+ 287 in test files, excluded from tier calculation)
• Branch: HDX-3964
• Author: wrn14897

To override this classification, remove the review/tier-4 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	Apr 14, 2026 5:57pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 00c8507

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@hyperdx/cli	Patch
@hyperdx/common-utils	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

PR Review

• ⚠️ PatternSamplesView cursor highlight is broken — The view slices samples with tableMaxRows = maxRows - 3 (reserving 3 header rows), but useKeybindings uses bare maxRows as the visible window size for navigation bounds (if (next >= maxRows), visibleCount = Math.min(sampleCount - sampleScrollOffset, maxRows)). The i === selectedRow check maps into the visible slice (max index tableMaxRows - 1), so the cursor will be invisible for the bottom 3 positions, and scrolling triggers 3 rows too late. Fix: use tableMaxRows (i.e. maxRows - 3) in the sample navigation bounds in useKeybindings, or pass the effective row limit as a prop.

• ⚠️ expandedPattern not reset when reopening pattern view — The P keybinding that opens patterns resets patternSelectedRow/patternScrollOffset but not expandedPattern. If the user expands a pattern, closes the view, then reopens it, they'll land directly in the samples view of the previously selected pattern with potentially stale data. Fix: add setExpandedPattern(null) in the open-pattern handler.

• ℹ️ usePatternData.ts is 333 lines — CLAUDE.md specifies keeping files under 300 lines. Consider extracting the time-bucketing utilities or the pattern mining loop into a helper.

[github-actions]

E2E Test Results

✅ All tests passed • 132 passed • 3 skipped • 1032s

Status	Count
✅ Passed	132
❌ Failed	0
⚠️ Flaky	3
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →