## Generating Application Level Variations

In [1]:
from datasets import Dataset
import pandas as pd
import instructor
from openai import OpenAI

client = instructor.from_openai(OpenAI())

dataset_path = "nl-logql-dataset-00"
dataset = Dataset.load_from_disk(dataset_path)

df = dataset.to_pandas()

In [2]:
pd.set_option("display.max_colwidth", 1000)

In [3]:
print(df.sample(n=1).to_json(orient="records"))

[{"application":"openssh","id":59,"question":"How many attempts were made to authenticate with invalid users from each unique source IP in the past 24 hours? (more than 200 attempts)","logql_query":"sum(\nsum by (source_ip) (\n  count_over_time(\n    {application=\"openssh\", hostname=\"LabSZ\"}\n    |~ \"Failed password for invalid user\"\n    | regexp \"Failed password for invalid user (?P<invalid_user>\\\\S+) from (?P<source_ip>\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\"\n    | __error__=\"\"\n    [24h]\n  )\n) > 200\n)","query_explanation":"1\n{application=\"openssh\", hostname=\"LabSZ\"}\nFetch all log lines matching label filters.\n2\n<expr> |~ `Failed password for invalid user`\nReturn log lines that match a RE2 regex pattern. Failed password for invalid user.\n\n3\n<expr> | regexp `Failed password for invalid user (?P<invalid_user>\\S+) from (?P<source_ip>\\d+\\.\\d+\\.\\d+\\.\\d+)`\nThe regexp parser takes a single parameter | regexp \"<re>\" which is the regular expression usi

In [4]:
all_columns = df.columns.to_list()

In [42]:
# columns_to_vary = ["question", "logql_query", "query_explanation", "query_result"]

columns_to_vary = ["question", "logql_query", "query_result"]
columns_to_keep = [col for col in all_columns if col not in columns_to_vary]

columns_for_llm = columns_to_vary
columns_for_llm.append("application_variables")

In [43]:
print(columns_to_vary)
print(columns_to_keep)
print(columns_for_llm)

['question', 'logql_query', 'query_result', 'application_variables']
['application', 'id', 'query_explanation', 'category', 'log_category_result', 'line_filter', 'label_filter', 'metric_category_result', 'metric_category', 'variables', 'application_variables', 'row_variables']
['question', 'logql_query', 'query_result', 'application_variables']


In [7]:
print(df[columns_for_llm].sample(n=1).to_json(orient="records"))

[{"question":"How many times did we encounter 'Corrupted MAC on input' errors in the last week, grouped by host?","logql_query":"sum by (hostname) (count_over_time({application=\"openssh\"} |= \"Corrupted MAC on input\" [1w]))","query_explanation":"1\n{application=\"openssh\"}\nFetch all log lines matching label filters.\n2\n<expr> |= `Corrupted MAC on input`\nReturn log lines that contain string Corrupted MAC on input.\n\n3\ncount_over_time(<expr> [1w])\nThe count of all values in the specified interval. The range vector is set to 1w.\n\n4\nsum by(hostname) (<expr>)\nCalculates sum over dimensions while preserving label hostname.","query_result":"1","application_variables":["application","hostname"]}]


In [24]:
SYSTEM_PROMPT = """You are a senior data analyst and data engineer tasked with generating variations of a dataset. Your goal is to read each row of the dataset, focus on specified columns, and create multiple variations while keeping certain columns constant.

Here is the format you'll receive the dataset row in:
<dataset>
{{DATASET}}
</dataset>

Here is the format you'll receive the columns you should vary be
<columns_to_vary>
{{COLUMNS_TO_VARY}}
</columns_to_vary>

Here is the format you'll receive the columns that should remain constant in:
<columns_to_keep>
{{COLUMNS_TO_KEEP}}
</columns_to_keep>

You are to generate {{NUM_VARIATIONS}} variations for each row in the dataset.

Important notes:
1. Pay special attention to the 'application_variables' column, as it determines which variables should be changed for each row.
2. The dataset contains LogQL queries. You should be able to understand and infer LogQL (Grafana Loki's Log Query Language) when generating variations.
3. `query_explanation` column breaks down and explains the LogQL queries.

Follow these steps to generate variations:
1. Read each row of the dataset.
2. Identify the 'application' for the current row.
3. Identify and determine the `application_variables`  which variables need to be changed.
4. Generate {{NUM_VARIATIONS}} new values for each variable that needs to be changed.
5. Create {{NUM_VARIATIONS}} new rows based on the original row, replacing the variable values with the newly generated ones.
6. Ensure that the columns specified in <columns_to_keep> remain unchanged in all variations.
7. Make sure to adjust the query accordingly as it references the changed variables.

Follow these notes on "what" the variations should be:
1. "application" variables should be renamed as if they are different tenants and instances of that application. For eg:
'openssh' -> "openssh-us-east', 'openssh-tenant-1', ...
2. Rewrite the `question` column to always explicitly mention the "application" variable.
3. Rewrite all "columns_to_vary"  wherever possible to explicitly mention the "application" variable.

When handling LogQL queries:
1. Analyze the query to identify any references to variables that are being changed.
2. Modify the query to use the new variable values in each variation.
3. Ensure that the modified query is still valid LogQL syntax.
4. Update the 'query_explanation' to reflect any changes made to the query.

For each variation you generate, provide the following output:

<variation>
<original_row>
Include the original row data here
</original_row>
<varied_row>
Include the varied row data here, with changed variables and updated LogQL query if applicable
</varied_row>
<changes_made>
Explain which variables were changed and how they affect the row data and LogQL query
</changes_made>
</variation>

Repeat this process for each row in the dataset, generating {{NUM_VARIATIONS}} variations for each row. Ensure that your variations maintain the integrity and logic of the original data while introducing meaningful changes to the specified variables.

Here is an example for you:
## example
<dataset>
[{"question":"How many unique users experienced authentication failures from the IP address 5.36.59.76?","logql_query":"count(\nsum(count_over_time({application=\"openssh\", hostname=\"LabSZ\"}\n|= ip(\"5.36.59.76\")\n| regexp \"(?P<message>(Failed password for (invalid user )?(?P<user>\\\\S+)|message repeated (?P<repeat_count>\\\\d+) times: \\\\[ Failed password for (invalid user )?(?P<repeated_user>\\\\S+))) from 5\\\\.36\\\\.59\\\\.76 port (?P<port>\\\\d+) ssh2\"\n| __error__=\"\"\n| label_format user=\"{{ or .user .repeated_user }}\"\n| __error__=\"\"\n[30d])) by (user))","query_explanation":"1\n{application=\"openssh\", hostname=\"LabSZ\"}\nFetch all log lines matching label filters.\n2\n<expr> |= ip(`5.36.59.76`)\nReturn log lines using IP matching of 5.36.59.76\n\n3\n<expr> | regexp `(?P<message>(Failed password for (invalid user )?(?P<user>\\S+)|message repeated (?P<repeat_count>\\d+) times: \\[ Failed password for (invalid user )?(?P<repeated_user>\\S+))) from 5\\.36\\.59\\.76 port (?P<port>\\d+) ssh2`\nThe regexp parser takes a single parameter | regexp \"<re>\" which is the regular expression using the Golang RE2 syntax. The regular expression must contain a least one named sub-match (e.g (?P<name>re)), each sub-match will extract a different label. The expression matches the structure of a log line. The extracted labels can be used in label filter expressions and used as values for a range aggregation via the unwrap operation.\n\n4\n<expr> | __error__=``\nFilter out all formatting and parsing errors.\n\n5\n<expr> | label_format user=\"{{ or .user .repeated_user }}\"\nThis will change name of label to desired new label. In the example below, label \"error_level\" will be renamed to \"level\".\n\nExample: error_level=`level`\n\nRead the docs for more.\n\n6\n<expr> | __error__=``\nFilter out all formatting and parsing errors.\n\n7\ncount_over_time(<expr> [30d])\nThe count of all values in the specified interval. The range vector is set to 30d.\n\n8\nsum by(user) (<expr>)\nCalculates sum over dimensions while preserving label user.\n\n9\ncount(<expr>)\nCalculates count over the dimensions.","query_result":"1","application_variables":["application","hostname"]}]
</dataset>

<columns_to_vary>
['question', 'logql_query', 'query_explanation', 'query_result']
</columns_to_vary>

<columns_to_keep>
['application', 'id', 'category', 'log_category_result', 'line_filter', 'label_filter', 'metric_category_result', 'metric_category', 'variables', 'application_variables', 'row_variables']
</columns_to_keep>

<variables_column>
application_variables
</variables_column>

You are to generate 3 variations for each row in the dataset.
"""

In [89]:
USER_PROMPT = """
<dataset>
{DATASET}
</dataset>

<columns_to_vary>
{COLUMNS_TO_VARY}
</columns_to_vary>

<columns_to_keep>
{COLUMNS_TO_KEEP}
</columns_to_keep>

<variables_column>
{VARIABLES}
</variables_column>

You are to generate 5 variations for each row in the dataset.
"""

In [90]:
print(
    USER_PROMPT.format(
        DATASET="l",
        COLUMNS_TO_VARY=columns_to_vary,
        COLUMNS_TO_KEEP=columns_to_keep,
        VARIABLES=["row_variables"],
    )
)


<dataset>
l
</dataset>

<columns_to_vary>
['question', 'logql_query', 'query_result', 'application_variables']
</columns_to_vary>

<columns_to_keep>
['application', 'id', 'query_explanation', 'category', 'log_category_result', 'line_filter', 'label_filter', 'metric_category_result', 'metric_category', 'variables', 'application_variables', 'row_variables']
</columns_to_keep>

<variables_column>
['row_variables']
</variables_column>

You are to generate 5 variations for each row in the dataset.



In [94]:
from pydantic import BaseModel, Field, field_validator
from typing import List, Dict
from instructor.utils import disable_pydantic_error_url

disable_pydantic_error_url()


class Row(BaseModel):
    chain_of_thought: str = Field(
        description="Your step-by-step thought process of each Variation, the variables changed and the fields where they were changed"
    )
    question: str
    logql_query: str
    query_explanation: str
    query_result: str


def generate_synthetic_data(row: Dict):
    # synthetic_rows = [row]
    synthetic_rows = []

    try:
        rows = client.chat.completions.create(
            model="gpt-4o-mini",
            response_model=List[Row],
            # max_retries=2,
            temperature=0.1,
            max_tokens=8192,
            messages=[
                {"role": "system", "content": SYSTEM_PROMPT},
                {
                    "role": "user",
                    "content": USER_PROMPT.format(
                        DATASET=row,
                        COLUMNS_TO_VARY=columns_to_vary,
                        COLUMNS_TO_KEEP=columns_to_keep,
                        VARIABLES=row["row_variables"],
                    ),
                },
            ],
        )
    except Exception as e:
        print(e)
        synthetic_row = row.copy()
        del synthetic_row["id"]
        return {"synthetic_rows": synthetic_rows}

    for _row in rows:
        synthetic_row = row.copy()
        del synthetic_row["id"]
        synthetic_row["question"] = _row.question
        synthetic_row["logql_query"] = _row.logql_query
        synthetic_row["query_explanation"] = _row.query_explanation
        synthetic_row["query_result"] = _row.query_result

        synthetic_rows.append(synthetic_row)
    return {"synthetic_rows": synthetic_rows}

In [96]:
import os

synthetic_dataset = dataset.map(generate_synthetic_data, num_proc=os.cpu_count())

  StockPickler.save(self, obj, save_persistent_id)
  StockPickler.save(self, obj, save_persistent_id)


Map (num_proc=20):   0%|          | 0/100 [00:00<?, ? examples/s]

RetryError[<Future at 0x767a12baee10 state=finished raised ValidationError>]
RetryError[<Future at 0x767997519a90 state=finished raised ValidationError>]
RetryError[<Future at 0x767a12d93650 state=finished raised ValidationError>]
RetryError[<Future at 0x767994d5b050 state=finished raised ValidationError>]
RetryError[<Future at 0x76799747f620 state=finished raised IncompleteOutputException>]
RetryError[<Future at 0x767997478b90 state=finished raised IncompleteOutputException>]
RetryError[<Future at 0x767994d971d0 state=finished raised IncompleteOutputException>]
RetryError[<Future at 0x767a12bb35c0 state=finished raised ValidationError>]
RetryError[<Future at 0x76799746d0a0 state=finished raised IncompleteOutputException>]
RetryError[<Future at 0x767994d3d0d0 state=finished raised ValidationError>]
RetryError[<Future at 0x767a12bb1940 state=finished raised ValidationError>]
RetryError[<Future at 0x76799747f620 state=finished raised IncompleteOutputException>]
RetryError[<Future at 0x76

In [98]:
synthetic_dataset = synthetic_dataset.map(remove_columns=dataset.column_names)

Map:   0%|          | 0/100 [00:00<?, ? examples/s]

In [107]:
synthetic_dataset["synthetic_rows"][0][0]

{'application': 'openstack',
 'application_variables': ['application'],
 'category': '',
 'label_filter': 'multiple log stream selectors',
 'line_filter': 'multiple line filters',
 'log_category_result': {'chain_of_thought': 'Analyzing the query, it contains three label filters: `application="openstack"`, `log_file_type="nova-compute"`, `component="nova.compute.manager"`. Additionally, there are three line filters (`|= "3edec1e4-9678-4a3a-a21b-a145a4ee5e61"`, `|= "Took"`, `|= "seconds to spawn the instance on the hypervisor"`) followed by a regex operation and a line format operation. The presence of three label filters classifies this under multiple log stream selectors, and the presence of more than one line filter classifies it under multiple line filters.',
  'label_filter': 'multiple log stream selectors',
  'line_filter': 'multiple line filters'},
 'logql_query': '{application="openstack-us-east", log_file_type="nova-compute", component="nova.compute.manager"} |= "3edec1e4-9678-4

In [109]:
synthetic_df = synthetic_dataset.to_pandas()

In [111]:
synthetic_df["synthetic_rows"][0]

array([{'application': 'openstack', 'application_variables': array(['application'], dtype=object), 'category': '', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters', 'log_category_result': {'chain_of_thought': 'Analyzing the query, it contains three label filters: `application="openstack"`, `log_file_type="nova-compute"`, `component="nova.compute.manager"`. Additionally, there are three line filters (`|= "3edec1e4-9678-4a3a-a21b-a145a4ee5e61"`, `|= "Took"`, `|= "seconds to spawn the instance on the hypervisor"`) followed by a regex operation and a line format operation. The presence of three label filters classifies this under multiple log stream selectors, and the presence of more than one line filter classifies it under multiple line filters.', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters'}, 'logql_query': '{application="openstack-us-east", log_file_type="nova-compute", component="nova.compute.manager"} |

In [122]:
expanded_df = pd.DataFrame(
    [item for row in synthetic_df["synthetic_rows"] for item in row]
)

# Reset the index if needed
expanded_df.reset_index(inplace=True)

In [123]:
expanded_df.rename(columns={"index": "id"}, inplace=True)

In [124]:
final_synthetic_dataset = Dataset.from_pandas(expanded_df)

In [125]:
final_synthetic_dataset

Dataset({
    features: ['id', 'application', 'application_variables', 'category', 'label_filter', 'line_filter', 'log_category_result', 'logql_query', 'metric_category', 'metric_category_result', 'query_explanation', 'query_result', 'question', 'row_variables', 'variables'],
    num_rows: 424
})

In [126]:
final_synthetic_dataset.save_to_disk("nl-logql-dataset-02")

Saving the dataset (0/1 shards):   0%|          | 0/424 [00:00<?, ? examples/s]

In [127]:
final_synthetic_dataset.push_to_hub("sidbin/natural-logql")

Uploading the dataset shards:   0%|          | 0/1 [00:00<?, ?it/s]

Creating parquet from Arrow format:   0%|          | 0/1 [00:00<?, ?ba/s]

README.md:   0%|          | 0.00/1.09k [00:00<?, ?B/s]

CommitInfo(commit_url='https://huggingface.co/datasets/sidbin/natural-logql/commit/d9ac961023083e4a526a30f7f412a595556f4b5d', commit_message='Upload dataset', commit_description='', oid='d9ac961023083e4a526a30f7f412a595556f4b5d', pr_url=None, repo_url=RepoUrl('https://huggingface.co/datasets/sidbin/natural-logql', endpoint='https://huggingface.co', repo_type='dataset', repo_id='sidbin/natural-logql'), pr_revision=None, pr_num=None)

In [71]:
from tqdm import tqdm

def generate_synthetic_data(row: Dict) -> List[Dict]:
    synthetic_rows = []

    try:
        rows = client.chat.completions.create(
            model="gpt-4o-mini",
            response_model=List[Row],
            temperature=0.1,
            max_tokens=8192,
            messages=[
                {"role": "system", "content": SYSTEM_PROMPT},
                {
                    "role": "user",
                    "content": USER_PROMPT.format(
                        DATASET=row,
                        COLUMNS_TO_VARY=columns_to_vary,
                        COLUMNS_TO_KEEP=columns_to_keep,
                        VARIABLES=row["row_variables"],
                    ),
                },
            ],
        )

        for _row in rows:
            synthetic_row = row.copy()
            synthetic_row["question"] = _row.question
            synthetic_row["logql_query"] = _row.logql_query
            synthetic_row["query_explanation"] = _row.query_explanation
            synthetic_row["query_result"] = _row.query_result
            synthetic_rows.append(synthetic_row)

    except Exception as e:
        print(f"Error generating synthetic data: {e}")

    return synthetic_rows

In [82]:
# df = dataset.shuffle(42).select(range(2)).to_pandas()
df = dataset.to_pandas()
tqdm.pandas(desc="generating synthetic data")
expanded_rows = df.progress_apply(
    lambda row: generate_synthetic_data(row.to_dict()), axis=1
)

expanded_df = pd.DataFrame([item for sublist in expanded_rows for item in sublist])

expanded_dataset = Dataset.from_pandas(expanded_df)

generating synthetic data:   0%|          | 0/100 [00:00<?, ?it/s]

generating synthetic data: 100%|██████████| 100/100 [32:17<00:00, 19.37s/it]


In [83]:
expanded_dataset.save_to_disk("nl-logql-dataset-01")

Saving the dataset (0/1 shards):   0%|          | 0/300 [00:00<?, ? examples/s]

In [84]:
expanded_df

Unnamed: 0,application,id,question,logql_query,query_explanation,query_result,category,log_category_result,line_filter,label_filter,metric_category_result,metric_category,variables,application_variables,row_variables
0,openstack,2,How long did it take to spawn instance 3edec1e4-9678-4a3a-a21b-a145a4ee5e61 on the hypervisor for openstack-us-east?,"{application=""openstack-us-east"", log_file_type=""nova-compute"", component=""nova.compute.manager""} |= ""3edec1e4-9678-4a3a-a21b-a145a4ee5e61"" |= ""Took"" |= ""seconds to spawn the instance on the hypervisor"" | regexp ""\\[instance: (?P<instance_id>[^\\]]+)\\] Took (?P<spawn_time>\\d+\\.\\d+) seconds to spawn the instance on the hypervisor"" | line_format ""{{.instance_id}} took {{.spawn_time}}""",bla,3edec1e4-9678-4a3a-a21b-a145a4ee5e61 took 20.58,,"{'chain_of_thought': 'Analyzing the query, it contains three label filters: `application=""openstack""`, `log_file_type=""nova-compute""`, `component=""nova.compute.manager""`. Additionally, there are three line filters (`|= ""3edec1e4-9678-4a3a-a21b-a145a4ee5e61""`, `|= ""Took""`, `|= ""seconds to spawn the instance on the hypervisor""`) followed by a regex operation and a line format operation. The presence of three label filters classifies this under multiple log stream selectors, and the presence of more than one line filter classifies it under multiple line filters.', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters'}",multiple line filters,multiple log stream selectors,"{'categories': None, 'chain_of_thought': 'The provided query involves log matching and extraction using filters and regexp but does not perform any quantitative aggregations or statistical computations, such as sum, count, or rate on the extracted data. It includes log filters, a regexp pattern for extracting data, and formatting the output using line_format, which suggests manipulation of text rather than numerical computation for metrics. Therefore, there are no metric aggregations present in this query.'}",,"[instance_id, time_in_sec]",[application],"[instance_id, spawn_time]"
1,openstack,2,How long did it take to spawn instance 3edec1e4-9678-4a3a-a21b-a145a4ee5e61 on the hypervisor for openstack-tenant-1?,"{application=""openstack-tenant-1"", log_file_type=""nova-compute"", component=""nova.compute.manager""} |= ""3edec1e4-9678-4a3a-a21b-a145a4ee5e61"" |= ""Took"" |= ""seconds to spawn the instance on the hypervisor"" | regexp ""\\[instance: (?P<instance_id>[^\\]]+)\\] Took (?P<spawn_time>\\d+\\.\\d+) seconds to spawn the instance on the hypervisor"" | line_format ""{{.instance_id}} took {{.spawn_time}}""",bla,3edec1e4-9678-4a3a-a21b-a145a4ee5e61 took 20.58,,"{'chain_of_thought': 'Analyzing the query, it contains three label filters: `application=""openstack""`, `log_file_type=""nova-compute""`, `component=""nova.compute.manager""`. Additionally, there are three line filters (`|= ""3edec1e4-9678-4a3a-a21b-a145a4ee5e61""`, `|= ""Took""`, `|= ""seconds to spawn the instance on the hypervisor""`) followed by a regex operation and a line format operation. The presence of three label filters classifies this under multiple log stream selectors, and the presence of more than one line filter classifies it under multiple line filters.', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters'}",multiple line filters,multiple log stream selectors,"{'categories': None, 'chain_of_thought': 'The provided query involves log matching and extraction using filters and regexp but does not perform any quantitative aggregations or statistical computations, such as sum, count, or rate on the extracted data. It includes log filters, a regexp pattern for extracting data, and formatting the output using line_format, which suggests manipulation of text rather than numerical computation for metrics. Therefore, there are no metric aggregations present in this query.'}",,"[instance_id, time_in_sec]",[application],"[instance_id, spawn_time]"
2,openstack,2,How long did it take to spawn instance 3edec1e4-9678-4a3a-a21b-a145a4ee5e61 on the hypervisor for openstack-tenant-2?,"{application=""openstack-tenant-2"", log_file_type=""nova-compute"", component=""nova.compute.manager""} |= ""3edec1e4-9678-4a3a-a21b-a145a4ee5e61"" |= ""Took"" |= ""seconds to spawn the instance on the hypervisor"" | regexp ""\\[instance: (?P<instance_id>[^\\]]+)\\] Took (?P<spawn_time>\\d+\\.\\d+) seconds to spawn the instance on the hypervisor"" | line_format ""{{.instance_id}} took {{.spawn_time}}""",bla,3edec1e4-9678-4a3a-a21b-a145a4ee5e61 took 20.58,,"{'chain_of_thought': 'Analyzing the query, it contains three label filters: `application=""openstack""`, `log_file_type=""nova-compute""`, `component=""nova.compute.manager""`. Additionally, there are three line filters (`|= ""3edec1e4-9678-4a3a-a21b-a145a4ee5e61""`, `|= ""Took""`, `|= ""seconds to spawn the instance on the hypervisor""`) followed by a regex operation and a line format operation. The presence of three label filters classifies this under multiple log stream selectors, and the presence of more than one line filter classifies it under multiple line filters.', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters'}",multiple line filters,multiple log stream selectors,"{'categories': None, 'chain_of_thought': 'The provided query involves log matching and extraction using filters and regexp but does not perform any quantitative aggregations or statistical computations, such as sum, count, or rate on the extracted data. It includes log filters, a regexp pattern for extracting data, and formatting the output using line_format, which suggests manipulation of text rather than numerical computation for metrics. Therefore, there are no metric aggregations present in this query.'}",,"[instance_id, time_in_sec]",[application],"[instance_id, spawn_time]"
3,openstack,3,What was the total time taken to build instance 3edec1e4-9678-4a3a-a21b-a145a4ee5e61 in openstack-us-east?,"{application=""openstack-us-east"", log_file_type=""nova-compute""} |= `3edec1e4-9678-4a3a-a21b-a145a4ee5e61` |= `Took` |= `seconds to build instance` | regexp `\[instance: (?P<instance_id>[^\]]+)\] Took (?P<build_time>\d+\.\d+) seconds to build instance` | line_format `{{.build_time}}`","1. {application=""openstack"", log_file_type=""nova-compute""}\nFetch all log lines matching label filters.\n2. <expr> |= `3edec1e4-9678-4a3a-a21b-a145a4ee5e61`\nReturn log lines that contain string 3edec1e4-9678-4a3a-a21b-a145a4ee5e61.\n\n3. <expr> |= `Took`\nReturn log lines that contain string Took.\n\n4. <expr> |= `seconds to build instance`\nReturn log lines that contain string seconds to build instance.\n\n5. <expr> | regexp `\[instance: (?P<instance_id>[^\]]+)\] Took (?P<build_time>\d+\.\d+) seconds to build instance`\nThe regexp parser takes a single parameter | regexp ""<re>"" which is the regular expression using the Golang RE2 syntax. The regular expression must contain a least one named sub-match (e.g (?P<name>re)), each sub-match will extract a different label. The expression matches the structure of a log line. The extracted labels can be used in label filter expressions and used as values for a range aggregation via the unwrap operation.\n\n6. <expr> | line_format `{{.buil...",21.38,,"{'chain_of_thought': 'The user query submits using multiple label filters: `application='openstack'`, `log_file_type='nova-compute'`. There are multiple line filters used sequentially: `|= '3edec1e4-9678-4a3a-a21b-a145a4ee5e61'`, `|= 'Took'`, `|= 'seconds to build instance'`, `| regexp '\[instance: (?P<instance_id>[^\]]+)\d+] Took (?P<build_time>\d+.\d+) seconds to build instance'`. By definition, using several different types of line filters suggests it falls under 'multiple line filters'. For labels, using multiple labels as part of the stream selector puts this into the 'multiple log stream selectors' category.', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters'}",multiple line filters,multiple log stream selectors,"{'categories': None, 'chain_of_thought': 'This LogQL query does not contain any aggregation operators like `sum`, `avg`, `max`, `min`, `count`, etc. It appears to involve parsing and restructuring log lines with `regexp` and `line_format` but does not aggregate these logs into metrics. Therefore, it does not fall into the categories of metric aggregation, whether log range, unwrapped range, or built-in range aggregation.'}",,"[instance_id, time_in_sec]",[application],"[instance_id, build_time]"
4,openstack,3,What was the total time taken to build instance 3edec1e4-9678-4a3a-a21b-a145a4ee5e61 in openstack-tenant-1?,"{application=""openstack-tenant-1"", log_file_type=""nova-compute""} |= `3edec1e4-9678-4a3a-a21b-a145a4ee5e61` |= `Took` |= `seconds to build instance` | regexp `\[instance: (?P<instance_id>[^\]]+)\] Took (?P<build_time>\d+\.\d+) seconds to build instance` | line_format `{{.build_time}}`","1. {application=""openstack"", log_file_type=""nova-compute""}\nFetch all log lines matching label filters.\n2. <expr> |= `3edec1e4-9678-4a3a-a21b-a145a4ee5e61`\nReturn log lines that contain string 3edec1e4-9678-4a3a-a21b-a145a4ee5e61.\n\n3. <expr> |= `Took`\nReturn log lines that contain string Took.\n\n4. <expr> |= `seconds to build instance`\nReturn log lines that contain string seconds to build instance.\n\n5. <expr> | regexp `\[instance: (?P<instance_id>[^\]]+)\] Took (?P<build_time>\d+\.\d+) seconds to build instance`\nThe regexp parser takes a single parameter | regexp ""<re>"" which is the regular expression using the Golang RE2 syntax. The regular expression must contain a least one named sub-match (e.g (?P<name>re)), each sub-match will extract a different label. The expression matches the structure of a log line. The extracted labels can be used in label filter expressions and used as values for a range aggregation via the unwrap operation.\n\n6. <expr> | line_format `{{.buil...",21.38,,"{'chain_of_thought': 'The user query submits using multiple label filters: `application='openstack'`, `log_file_type='nova-compute'`. There are multiple line filters used sequentially: `|= '3edec1e4-9678-4a3a-a21b-a145a4ee5e61'`, `|= 'Took'`, `|= 'seconds to build instance'`, `| regexp '\[instance: (?P<instance_id>[^\]]+)\d+] Took (?P<build_time>\d+.\d+) seconds to build instance'`. By definition, using several different types of line filters suggests it falls under 'multiple line filters'. For labels, using multiple labels as part of the stream selector puts this into the 'multiple log stream selectors' category.', 'label_filter': 'multiple log stream selectors', 'line_filter': 'multiple line filters'}",multiple line filters,multiple log stream selectors,"{'categories': None, 'chain_of_thought': 'This LogQL query does not contain any aggregation operators like `sum`, `avg`, `max`, `min`, `count`, etc. It appears to involve parsing and restructuring log lines with `regexp` and `line_format` but does not aggregate these logs into metrics. Therefore, it does not fall into the categories of metric aggregation, whether log range, unwrapped range, or built-in range aggregation.'}",,"[instance_id, time_in_sec]",[application],"[instance_id, build_time]"
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
295,hdfs,89,How many times did the PendingReplicationMonitor time out for blocks in the past 12 hours for hdfs-tenant-1?,"sum(\n count_over_time(\n {application=""hdfs-tenant-1""}\n |~ ""PendingReplicationMonitor timed out block .*""\n [12h]\n )\n)","Explanation of the query:\n\n1. `{application=""hdfs""}`: This selects all logs from the HDFS application, as we don't have a specific component for PendingReplicationMonitor.\n\n2. `|~ ""PendingReplicationMonitor timed out block .*""`: This line filter matches log lines containing the PendingReplicationMonitor timeout event.\n\n3. `[12h]`: This specifies the 12-hour time range as requested in the question.\n\n4. `count_over_time(...)`: This counts the occurrences of the matched log lines over the specified time range.\n\n5. `sum(...)`: This sums up all the counts, giving us the total number of times the PendingReplicationMonitor timed out for blocks in the past 12 hours.\n\nThis query efficiently counts the number of PendingReplicationMonitor timeout events across all HDFS components in the last 12 hours. The result will be a single value representing the total count of these timeout events.",2,Performance Issues,"{'chain_of_thought': 'This query includes a single label filter: `application=""hdfs""`. Additionally, it contains a single line filter `|~ ""PendingReplicationMonitor timed out block .*""` used to match logs with a specific pattern. There are no multiple filters used.', 'label_filter': 'single log stream selector', 'line_filter': 'single line filter'}",single line filter,single log stream selector,"{'categories': ['log_range_aggregation', 'built_in_range_aggregation'], 'chain_of_thought': 'The query uses the `sum()` function as well as the `count_over_time()` function over a logging range of 12 hours specified. According to the documentation, `count_over_time` is categorized as a log range aggregation as it counts log entries over a specified time range. `sum()` is a built-in aggregation operator, used here to aggregate the counts over all labels.'}","[log_range_aggregation, built_in_range_aggregation]",[time_in_hours],[application],[time_in_hours]
296,hdfs,89,How many times did the PendingReplicationMonitor time out for blocks in the past 12 hours for hdfs-tenant-2?,"sum(\n count_over_time(\n {application=""hdfs-tenant-2""}\n |~ ""PendingReplicationMonitor timed out block .*""\n [12h]\n )\n)","Explanation of the query:\n\n1. `{application=""hdfs""}`: This selects all logs from the HDFS application, as we don't have a specific component for PendingReplicationMonitor.\n\n2. `|~ ""PendingReplicationMonitor timed out block .*""`: This line filter matches log lines containing the PendingReplicationMonitor timeout event.\n\n3. `[12h]`: This specifies the 12-hour time range as requested in the question.\n\n4. `count_over_time(...)`: This counts the occurrences of the matched log lines over the specified time range.\n\n5. `sum(...)`: This sums up all the counts, giving us the total number of times the PendingReplicationMonitor timed out for blocks in the past 12 hours.\n\nThis query efficiently counts the number of PendingReplicationMonitor timeout events across all HDFS components in the last 12 hours. The result will be a single value representing the total count of these timeout events.",2,Performance Issues,"{'chain_of_thought': 'This query includes a single label filter: `application=""hdfs""`. Additionally, it contains a single line filter `|~ ""PendingReplicationMonitor timed out block .*""` used to match logs with a specific pattern. There are no multiple filters used.', 'label_filter': 'single log stream selector', 'line_filter': 'single line filter'}",single line filter,single log stream selector,"{'categories': ['log_range_aggregation', 'built_in_range_aggregation'], 'chain_of_thought': 'The query uses the `sum()` function as well as the `count_over_time()` function over a logging range of 12 hours specified. According to the documentation, `count_over_time` is categorized as a log range aggregation as it counts log entries over a specified time range. `sum()` is a built-in aggregation operator, used here to aggregate the counts over all labels.'}","[log_range_aggregation, built_in_range_aggregation]",[time_in_hours],[application],[time_in_hours]
297,hdfs,90,What is the average time taken for a block to be transmitted between DataNodes in the last hour for hdfs-us-east?,"(\n sum(rate({application=""hdfs-us-east""} |~ ""Transmitted block"" [1h])) /\n sum(rate({application=""hdfs-us-east""} |~ ""Starting thread to transfer block"" [1h]))\n) * 3600","Explanation of the query:\n\n1. `{application=""hdfs-us-east""}`: This selects all logs from HDFS application.\n\n2. `|~ ""Transmitted block""` and `|~ ""Starting thread to transfer block""`: These line filters match log lines containing the end and start of block transfer events, respectively.\n\n3. `[1h]`: This specifies the 1-hour time range as requested in the question.\n\n4. `rate(... [1h])`: This calculates the per-second rate of occurrences for each event over the last hour.\n\n5. `sum(...)`: This sums the rates across all DataNodes.\n\n6. The division `(...) / (...)` gives us the average time between start and end events.\n\n7. `* 3600`: This converts the result from seconds to hours.\n\nThis query approximates the average time taken for a block to be transmitted between DataNodes in the last hour. It does this by calculating the ratio of completed transmissions to started transmissions and then converting this to an average time in seconds.\n\nNote that this method assumes that...",38k\n<graph>,Replication and Data Transfer,"{'chain_of_thought': 'The query has a single label filter: `application=""hdfs""`. The query is checking rates over log lines that match two different line filters: `|~ ""Transmitted block""` and `|~ ""Starting thread to transfer block""`. Since there are two different line filters used in separate sub-queries, this qualifies as multiple line filters. Therefore, the labels are single, and the line filters are multiple.', 'label_filter': 'single log stream selector', 'line_filter': 'multiple line filters'}",multiple line filters,single log stream selector,"{'categories': ['log_range_aggregation', 'built_in_range_aggregation'], 'chain_of_thought': 'In this query, `sum()` and `rate()` are used. From the LogQL documentation, `rate()` functions as a log range aggregation, calculating the rate of logs over a specified time period. The `sum()` function is a built-in aggregation operator used here to sum up the rates calculated. The entire expression calculates a rate over an hour and uses built-in aggregation operators to sum these rates. These sums are then combined in a mathematical expression.'}","[log_range_aggregation, built_in_range_aggregation]",[time_in_hours],[application],[time_in_hours]
298,hdfs,90,What is the average time taken for a block to be transmitted between DataNodes in the last hour for hdfs-tenant-1?,"(\n sum(rate({application=""hdfs-tenant-1""} |~ ""Transmitted block"" [1h])) /\n sum(rate({application=""hdfs-tenant-1""} |~ ""Starting thread to transfer block"" [1h]))\n) * 3600","Explanation of the query:\n\n1. `{application=""hdfs-tenant-1""}`: This selects all logs from HDFS application.\n\n2. `|~ ""Transmitted block""` and `|~ ""Starting thread to transfer block""`: These line filters match log lines containing the end and start of block transfer events, respectively.\n\n3. `[1h]`: This specifies the 1-hour time range as requested in the question.\n\n4. `rate(... [1h])`: This calculates the per-second rate of occurrences for each event over the last hour.\n\n5. `sum(...)`: This sums the rates across all DataNodes.\n\n6. The division `(...) / (...)` gives us the average time between start and end events.\n\n7. `* 3600`: This converts the result from seconds to hours.\n\nThis query approximates the average time taken for a block to be transmitted between DataNodes in the last hour. It does this by calculating the ratio of completed transmissions to started transmissions and then converting this to an average time in seconds.\n\nNote that this method assumes tha...",38k\n<graph>,Replication and Data Transfer,"{'chain_of_thought': 'The query has a single label filter: `application=""hdfs""`. The query is checking rates over log lines that match two different line filters: `|~ ""Transmitted block""` and `|~ ""Starting thread to transfer block""`. Since there are two different line filters used in separate sub-queries, this qualifies as multiple line filters. Therefore, the labels are single, and the line filters are multiple.', 'label_filter': 'single log stream selector', 'line_filter': 'multiple line filters'}",multiple line filters,single log stream selector,"{'categories': ['log_range_aggregation', 'built_in_range_aggregation'], 'chain_of_thought': 'In this query, `sum()` and `rate()` are used. From the LogQL documentation, `rate()` functions as a log range aggregation, calculating the rate of logs over a specified time period. The `sum()` function is a built-in aggregation operator used here to sum up the rates calculated. The entire expression calculates a rate over an hour and uses built-in aggregation operators to sum these rates. These sums are then combined in a mathematical expression.'}","[log_range_aggregation, built_in_range_aggregation]",[time_in_hours],[application],[time_in_hours]


In [85]:
expanded_dataset.push_to_hub("sidbin/natural-logql")

Uploading the dataset shards:   0%|          | 0/1 [00:00<?, ?it/s]

Creating parquet from Arrow format:   0%|          | 0/1 [00:00<?, ?ba/s]

README.md:   0%|          | 0.00/955 [00:00<?, ?B/s]

CommitInfo(commit_url='https://huggingface.co/datasets/sidbin/natural-logql/commit/762df8a43ad7e14762ab6d80a2e674c6bf6855f9', commit_message='Upload dataset', commit_description='', oid='762df8a43ad7e14762ab6d80a2e674c6bf6855f9', pr_url=None, repo_url=RepoUrl('https://huggingface.co/datasets/sidbin/natural-logql', endpoint='https://huggingface.co', repo_type='dataset', repo_id='sidbin/natural-logql'), pr_revision=None, pr_num=None)

## Row Variables

In [8]:
columns_to_vary = ["question", "logql_query", "query_explanation", "query_result"]
columns_to_keep = [col for col in all_columns if col not in columns_to_vary]

columns_for_llm = columns_to_vary
columns_for_llm.append("row_variables")

In [11]:
columns_for_llm.append("application_variables")

In [9]:
print(columns_to_vary)
print(columns_to_keep)
print(columns_for_llm)

['question', 'logql_query', 'query_explanation', 'query_result', 'row_variables']
['application', 'id', 'category', 'log_category_result', 'line_filter', 'label_filter', 'metric_category_result', 'metric_category', 'variables', 'application_variables', 'row_variables']
['question', 'logql_query', 'query_explanation', 'query_result', 'row_variables']


In [23]:
df[columns_for_llm].sample(n=1)

Unnamed: 0,question,logql_query,query_explanation,query_result,row_variables,application_variables
94,How many times did the NameSystem allocate new blocks in the past minute?,"sum(\n count_over_time(\n {application=""hdfs""}\n |~ ""BLOCK\\* NameSystem\\.allocateBlock:""\n [1m]\n )\n)","1. `{application=""hdfs""}`: This selects all logs from the FSNamesystem component, which handles block allocation.\n\n2. `|~ ""BLOCK\\* NameSystem\\.allocateBlock:""`: This line filter matches log lines containing the block allocation event. We use `\\` to escape the asterisk in the log message.\n\n3. `[1h]`: This specifies the 1-minute time range as requested in the question.\n\n4. `count_over_time(...)`: This counts the occurrences of the matched log lines over the specified time range.\n\n5. `sum(...)`: This sums up all the counts, giving us the total number of block allocations across all instances of FSNamesystem.\n\nThis query efficiently counts the number of times the NameSystem allocated new blocks in the past hour. The result will be a single value representing the total count of block allocations.\n",1.88k\n<graph>,"[time_in_minutes, block_action: addStoredBlock|delete]",[application]
