# DuckDB Performance Analyzer for CloudTrail Data

This notebook analyzes your processed CloudTrail data and provides technical insights about DuckDB query performance, memory requirements, and optimal query strategies.

In [None]:
import sys
from pathlib import Path
import json
import psutil
import os
import time
from datetime import datetime, timedelta
from collections import defaultdict
import pandas as pd

# Add src to path
src_path = Path('../src').resolve()
sys.path.insert(0, str(src_path))

from phase2.duckdb_connector import DuckDBConnector
from common.logging_config import setup_logging

## System Configuration Analysis

In [None]:
# Analyze system resources
def analyze_system_config():
    memory = psutil.virtual_memory()
    disk = psutil.disk_usage('/')
    cpu_count = psutil.cpu_count()
    
    print("🖥️  SYSTEM CONFIGURATION ANALYSIS")
    print("=" * 50)
    print(f"💾 Total RAM: {memory.total / (1024**3):.1f} GB")
    print(f"💾 Available RAM: {memory.available / (1024**3):.1f} GB ({memory.percent:.1f}% used)")
    print(f"💽 Total Disk: {disk.total / (1024**3):.1f} GB")
    print(f"💽 Free Disk: {disk.free / (1024**3):.1f} GB ({(disk.used/disk.total)*100:.1f}% used)")
    print(f"⚡ CPU Cores: {cpu_count}")
    
    return {
        'total_ram_gb': memory.total / (1024**3),
        'available_ram_gb': memory.available / (1024**3),
        'cpu_cores': cpu_count,
        'disk_free_gb': disk.free / (1024**3)
    }

system_config = analyze_system_config()

## Data Volume Analysis

In [None]:
# Analyze processed data volume and structure
def analyze_data_volume(data_path="../data/processed"):
    data_path = Path(data_path)
    
    if not data_path.exists():
        print("❌ No processed data found!")
        return None
    
    print("\n📊 DATA VOLUME ANALYSIS")
    print("=" * 50)
    
    # File analysis
    json_files = list(data_path.rglob('*.json'))
    total_files = len(json_files)
    
    if total_files == 0:
        print("❌ No JSON files found!")
        return None
    
    # Size analysis
    total_size = sum(f.stat().st_size for f in json_files)
    avg_file_size = total_size / total_files
    
    print(f"📁 Total Files: {total_files:,}")
    print(f"📏 Total Size: {total_size / (1024**2):.1f} MB ({total_size / (1024**3):.3f} GB)")
    print(f"📏 Average File Size: {avg_file_size / 1024:.1f} KB")
    
    # Date range analysis
    dates = set()
    date_file_count = defaultdict(int)
    date_size = defaultdict(int)
    
    for file_path in json_files:
        parts = file_path.parts
        if len(parts) >= 4:
            try:
                year, month, day = parts[-4], parts[-3], parts[-2]
                date_str = f"{year}-{month.zfill(2)}-{day.zfill(2)}"
                dates.add(date_str)
                date_file_count[date_str] += 1
                date_size[date_str] += file_path.stat().st_size
            except (ValueError, IndexError):
                continue
    
    dates = sorted(dates)
    print(f"📅 Date Range: {min(dates)} to {max(dates)} ({len(dates)} days)")
    print(f"📅 Files per Day: {total_files / len(dates):.0f} average")
    print(f"📅 Data per Day: {(total_size / len(dates)) / (1024**2):.1f} MB average")
    
    return {
        'total_files': total_files,
        'total_size_mb': total_size / (1024**2),
        'total_size_gb': total_size / (1024**3),
        'avg_file_size_kb': avg_file_size / 1024,
        'date_range': (min(dates), max(dates)),
        'total_days': len(dates),
        'files_per_day': total_files / len(dates),
        'mb_per_day': (total_size / len(dates)) / (1024**2),
        'date_file_count': dict(date_file_count),
        'date_size': {k: v/(1024**2) for k, v in date_size.items()}
    }

data_stats = analyze_data_volume()

## Sample Data Structure Analysis

In [None]:
# Analyze JSON structure and estimate event counts
def analyze_json_structure(data_path="../data/processed", sample_files=5):
    data_path = Path(data_path)
    json_files = list(data_path.rglob('*.json'))[:sample_files]
    
    if not json_files:
        return None
    
    print("\n🔬 JSON STRUCTURE ANALYSIS")
    print("=" * 50)
    
    total_events = 0
    total_records = 0
    field_counts = defaultdict(int)
    event_sources = defaultdict(int)
    
    for i, file_path in enumerate(json_files):
        try:
            with open(file_path, 'r') as f:
                data = json.load(f)
                
            if 'Records' in data:
                records = data['Records']
                total_records += len(records)
                
                for record in records[:10]:  # Sample first 10 records
                    total_events += 1
                    
                    # Count fields
                    for field in record.keys():
                        field_counts[field] += 1
                    
                    # Count event sources
                    if 'eventSource' in record:
                        event_sources[record['eventSource']] += 1
                        
        except Exception as e:
            print(f"⚠️  Error reading {file_path.name}: {e}")
            continue
    
    if total_records == 0:
        print("❌ No valid CloudTrail records found!")
        return None
    
    # Estimate total events
    avg_records_per_file = total_records / len(json_files)
    estimated_total_events = int(avg_records_per_file * data_stats['total_files'])
    
    print(f"📋 Sample Files Analyzed: {len(json_files)}")
    print(f"📋 Records per File: {avg_records_per_file:.0f} average")
    print(f"📋 Estimated Total Events: {estimated_total_events:,}")
    
    print(f"\n🏷️  Common Fields ({len(field_counts)} total):")
    for field, count in sorted(field_counts.items(), key=lambda x: x[1], reverse=True)[:10]:
        print(f"  - {field}: {count}/{total_events} records")
    
    print(f"\n🌐 Top Event Sources:")
    for source, count in sorted(event_sources.items(), key=lambda x: x[1], reverse=True)[:5]:
        print(f"  - {source}: {count} events")
    
    return {
        'avg_records_per_file': avg_records_per_file,
        'estimated_total_events': estimated_total_events,
        'field_counts': dict(field_counts),
        'event_sources': dict(event_sources)
    }

if data_stats:
    json_stats = analyze_json_structure()
else:
    json_stats = None

## DuckDB Performance Benchmarks

In [None]:
# Benchmark DuckDB performance with sample queries
def benchmark_duckdb_performance(data_path="../data/processed"):
    if not data_stats or not json_stats:
        print("❌ Cannot benchmark without data analysis")
        return None
    
    print("\n⚡ DUCKDB PERFORMANCE BENCHMARKS")
    print("=" * 50)
    
    # Create temporary DuckDB connection
    db_path = "../data/performance_test.duckdb"
    db = DuckDBConnector(db_path)
    
    try:
        # Create view
        print("🔧 Creating CloudTrail view...")
        start_time = time.time()
        success = db.create_cloudtrail_view(data_path)
        view_creation_time = time.time() - start_time
        
        if not success:
            print("❌ Failed to create view")
            return None
        
        print(f"✅ View created in {view_creation_time:.2f} seconds")
        
        # Benchmark queries
        benchmarks = []
        
        # Test 1: Simple count
        print("\n🧪 Test 1: Simple COUNT query")
        start_time = time.time()
        result = db.execute_query("SELECT COUNT(*) as total FROM cloudtrail")
        query_time = time.time() - start_time
        total_events = result.iloc[0]['total']
        
        print(f"  📊 Total Events: {total_events:,}")
        print(f"  ⏱️  Query Time: {query_time:.2f} seconds")
        print(f"  🚀 Events/Second: {total_events/query_time:,.0f}")
        
        benchmarks.append({
            'test': 'Simple COUNT',
            'query_time': query_time,
            'events_processed': total_events,
            'events_per_second': total_events/query_time
        })
        
        # Test 2: Aggregation by service
        print("\n🧪 Test 2: GROUP BY aggregation")
        start_time = time.time()
        result = db.execute_query("""
            SELECT eventSource, COUNT(*) as count 
            FROM cloudtrail 
            GROUP BY eventSource 
            ORDER BY count DESC 
            LIMIT 10
        """)
        query_time = time.time() - start_time
        
        print(f"  📊 Services Found: {len(result)}")
        print(f"  ⏱️  Query Time: {query_time:.2f} seconds")
        print(f"  🚀 Events/Second: {total_events/query_time:,.0f}")
        
        benchmarks.append({
            'test': 'GROUP BY aggregation',
            'query_time': query_time,
            'events_processed': total_events,
            'events_per_second': total_events/query_time
        })
        
        return {
            'view_creation_time': view_creation_time,
            'total_events': total_events,
            'benchmarks': benchmarks
        }
        
    finally:
        db.close()
        # Clean up test database
        if Path(db_path).exists():
            Path(db_path).unlink()

if data_stats and json_stats:
    perf_stats = benchmark_duckdb_performance()
else:
    perf_stats = None

## Performance Recommendations

In [None]:
# Generate recommendations based on analysis
def generate_recommendations():
    if not all([data_stats, json_stats, perf_stats, system_config]):
        print("❌ Cannot generate recommendations without complete analysis")
        return None
    
    print("\n🎯 PERFORMANCE RECOMMENDATIONS")
    print("=" * 50)
    
    total_events = perf_stats['total_events']
    total_size_gb = data_stats['total_size_gb']
    available_ram_gb = system_config['available_ram_gb']
    total_days = data_stats['total_days']
    
    # Data size assessment
    if total_size_gb < 0.1:
        size_category = "SMALL"
        size_emoji = "🟢"
    elif total_size_gb < 1.0:
        size_category = "MEDIUM"
        size_emoji = "🟡"
    else:
        size_category = "LARGE"
        size_emoji = "🔴"
    
    print(f"\n{size_emoji} DATA SIZE CATEGORY: {size_category}")
    print(f"  📊 Total Data: {total_size_gb:.3f} GB ({total_events:,} events)")
    print(f"  💾 Available RAM: {available_ram_gb:.1f} GB")
    print(f"  📅 Date Range: {total_days} days")
    
    # Performance tier
    avg_events_per_sec = sum(b['events_per_second'] for b in perf_stats['benchmarks']) / len(perf_stats['benchmarks'])
    
    if avg_events_per_sec > 100000:
        perf_tier = "EXCELLENT"
        perf_emoji = "🚀"
    elif avg_events_per_sec > 50000:
        perf_tier = "GOOD"
        perf_emoji = "⚡"
    else:
        perf_tier = "MODERATE"
        perf_emoji = "🐌"
    
    print(f"\n{perf_emoji} PERFORMANCE TIER: {perf_tier}")
    print(f"  🏃 Average Processing Speed: {avg_events_per_sec:,.0f} events/second")
    
    # Optimal date range recommendations
    print(f"\n📅 OPTIMAL DATE RANGE RECOMMENDATIONS:")
    
    # Calculate safe date ranges based on memory
    safe_days_for_select_all = int((available_ram_gb * 0.8) / (data_stats['mb_per_day'] / 1024 * 1.2))  # 80% RAM, 120% overhead
    safe_days_for_aggregation = min(total_days, int((available_ram_gb * 0.9) / (data_stats['mb_per_day'] / 1024 * 0.1)))  # 90% RAM, 10% overhead
    
    print(f"  🔍 For SELECT * queries: {max(1, safe_days_for_select_all)} days maximum")
    print(f"  📊 For aggregation queries: {safe_days_for_aggregation} days (full dataset OK)")
    print(f"  ⚡ For filtered queries: {min(total_days, 30)} days recommended")
    
    # Query optimization tips
    print(f"\n💡 QUERY OPTIMIZATION TIPS:")
    
    tips = [
        "✅ Use COUNT(*), GROUP BY, and aggregations - very memory efficient",
        "✅ Add WHERE clauses to filter data early (pushdown optimization)",
        "✅ Select specific columns instead of SELECT *",
        "✅ Use date filters: WHERE eventTime >= '2025-07-30'",
        "⚠️  Avoid SELECT * on large date ranges",
        "⚠️  Complex JOINs may require more memory",
        "❌ Avoid ORDER BY without LIMIT on large results"
    ]
    
    for tip in tips:
        print(f"  {tip}")
    
    return {
        'size_category': size_category,
        'performance_tier': perf_tier,
        'safe_days_select_all': safe_days_for_select_all,
        'safe_days_aggregation': safe_days_for_aggregation,
        'avg_events_per_sec': avg_events_per_sec
    }

if data_stats and json_stats and perf_stats:
    recommendations = generate_recommendations()
else:
    recommendations = None

## Summary Report

In [None]:
# Generate final summary report
def generate_summary_report():
    if not all([data_stats, json_stats, perf_stats, recommendations]):
        print("❌ Cannot generate summary without complete analysis")
        return
    
    print("\n" + "=" * 60)
    print("📋 DUCKDB PERFORMANCE ANALYSIS SUMMARY")
    print("=" * 60)
    
    # Key metrics
    print(f"\n🎯 KEY METRICS:")
    print(f"  📊 Total Events: {perf_stats['total_events']:,}")
    print(f"  📁 Total Files: {data_stats['total_files']:,}")
    print(f"  📏 Total Size: {data_stats['total_size_gb']:.3f} GB")
    print(f"  📅 Date Range: {data_stats['date_range'][0]} to {data_stats['date_range'][1]}")
    print(f"  💾 Available RAM: {system_config['available_ram_gb']:.1f} GB")
    print(f"  ⚡ Processing Speed: {recommendations['avg_events_per_sec']:,.0f} events/sec")
    
    # Status indicators
    print(f"\n🚦 STATUS INDICATORS:")
    print(f"  📊 Data Size: {recommendations['size_category']}")
    print(f"  ⚡ Performance: {recommendations['performance_tier']}")
    print(f"  💾 Memory Fit: {'✅ EXCELLENT' if data_stats['total_size_gb'] < system_config['available_ram_gb'] * 0.1 else '🟡 GOOD' if data_stats['total_size_gb'] < system_config['available_ram_gb'] * 0.5 else '🔴 TIGHT'}")
    
    # Quick recommendations
    print(f"\n⚡ QUICK RECOMMENDATIONS:")
    print(f"  🔍 Safe for SELECT *: {recommendations['safe_days_select_all']} days")
    print(f"  📊 Safe for aggregations: Full dataset ({data_stats['total_days']} days)")
    print(f"  🎯 Optimal query range: 7-30 days")
    
    print(f"\n✅ ANALYSIS COMPLETE - Your CloudTrail data is ready for efficient DuckDB querying!")
    print("=" * 60)

if recommendations:
    generate_summary_report()