Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PPL command implementation for appendCol #990

Open
wants to merge 62 commits into
base: main
Choose a base branch
from
Open

PPL command implementation for appendCol #990

wants to merge 62 commits into from

Conversation

andy-k-improving
Copy link
Contributor

@andy-k-improving andy-k-improving commented Dec 11, 2024
edited
Loading

Description

Introduce the new PPL command appendCol which aim to aggregate result from multiple searches into a single comprehensive table for user to view.

This is accomplished by reading both main-search and sub-search in the form of node then transform it into the following of SQL with by adding _row_number_ for the dataset's natural order, then join both main and sub search with the _row_number_ column.

select t1.*, t2.* 

FROM (
     SELECT *, row_number() over (order by '1') as row_org 
     FROM employees) as t1

 FULL OUTER JOIN (
     SELECT *, row_number() over (order by '1') as row_app 
     FROM employees) as t2 

ON t1.row_org = t2.row_app;

Related Issues

Resolves: #956

Check List

  • Updated documentation (docs/ppl-lang/README.md)
  • Implemented unit tests
  • Implemented tests for combination with other commands
  • New added source code should include a copyright header
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Test plan:

# Produce the artifact
sbt clean sparkPPLCosmetic/publishM2

# Start Spark with the plugin
bin/spark-sql --jars "/ABSOLUTE_PATH_TO_ARTIFACT/opensearch-spark-ppl_2.12-0.6.0-SNAPSHOT.jar" \
--conf "spark.sql.extensions=org.opensearch.flint.spark.FlintPPLSparkExtensions"  \
--conf "spark.sql.catalog.dev=org.apache.spark.opensearch.catalog.OpenSearchCatalog" \
--conf "spark.hadoop.hive.cli.print.header=true"

# Insert test table and data
CREATE TABLE employees (name STRING, dept STRING, salary INT, age INT, con STRING);

INSERT INTO employees VALUES ("Lisa", "Sales", 10000, 35, 'test');
INSERT INTO employees VALUES ("Evan", "Sales", 32000, 38, 'test');
INSERT INTO employees VALUES ("Fred", "Engineering", 21000, 28, 'test');
INSERT INTO employees VALUES ("Alex", "Sales", 30000, 33, 'test');
INSERT INTO employees VALUES ("Tom", "Engineering", 23000, 33, 'test');
INSERT INTO employees VALUES ("Jane", "Marketing", 29000, 28, 'test');
INSERT INTO employees VALUES ("Jeff", "Marketing", 35000, 38, 'test');
INSERT INTO employees VALUES ("Paul", "Engineering", 29000, 23, 'test');
INSERT INTO employees VALUES ("Chloe", "Engineering", 23000, 25, 'test');

# Append one sub-search:

source=employees | FIELDS name, dept, salary | APPENDCOL  [ stats count() as event_count];

name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	NULL
Paul	Engineering	29000	NULL
Evan	Sales------	32000	NULL
Chloe	Engineering	23000	NULL
Tom	Engineering	23000	NULL
Alex	Sales	30000	NULL
Jane	Marketing	29000	NULL
Jeff	Marketing	35000	NULL


# Append multiple sub-searches:

source=employees | FIELDS name, dept, salary | APPENDCOL  [ stats count() as event_count] | APPENDCOL [stats avg(age) as avg_age];

name	dept	salary	event_count	avg_age
Lisa	Sales------	10000	9	31.22222222222222
Fred	Engineering	21000	NULL	NULL
Paul	Engineering	29000	NULL	NULL
Evan	Sales------	32000	NULL	NULL
Chloe	Engineering	23000	NULL	NULL
Tom	Engineering	23000	NULL	NULL
Alex	Sales	30000	NULL	NULL
Jane	Marketing	29000	NULL	NULL
Jeff	Marketing	35000	NULL	NULL



# With override option (`salary` column from the main-search is being dropped and replaced by the `salary` column over the sub-search)

source=employees | FIELDS name, dept, salary | APPENDCOL OVERRIDE=true [stats avg(salary) as salary];

name	dept	salary
Lisa	Sales------	25777.777777777777
Fred	Engineering	NULL
Paul	Engineering	NULL
Evan	Sales------	NULL
Chloe	Engineering	NULL
Tom	Engineering	NULL
Alex	Sales	NULL
Jane	Marketing	NULL
Jeff	Marketing	NULL

@andy-k-improving andy-k-improving marked this pull request as draft December 11, 2024 02:26
@andy-k-improving andy-k-improving changed the title DRAFT: PPL command appendCol implementaion PPL command implementation for appendCol Dec 16, 2024
@andy-k-improving andy-k-improving marked this pull request as ready for review December 16, 2024 22:45
@LantaoJin
Copy link
Member

LantaoJin commented Dec 18, 2024
edited
Loading

Two high level questions:

  1. appendCol command syntax is
    APPENDCOL <override=?> [sub-search]...

And the sub-search syntax is

opensearch-spark/ppl-spark-integration/src/main/antlr4/OpenSearchPPLParser.g4

Lines 27 to 29 in 957de4e

subSearch
: searchCommand (PIPE commands)*
;

Seems this PR doesn't follow the sub-search syntax.
I prefer to follow the current sub-search syntax, in case we could combine columns from different tables. for examples:
source=employees | FIELDS name, dept, salary | APPENDCOL [ search source = company | stats count() as event_count ]
But if this is intentional (appendcol only works for one table), I am okey for current syntax.

  1. why the result of query source=employees | FIELDS name, dept, salary | APPENDCOL [ stats count() as event_count]
    is
name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	NULL
Paul	Engineering	29000	NULL
Evan	Sales------	32000	NULL
Chloe	Engineering	23000	NULL
Tom	Engineering	23000	NULL
Alex	Sales	30000	NULL
Jane	Marketing	29000	NULL
Jeff	Marketing	35000	NULL

instead of

name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	9
Paul	Engineering	29000	9
Evan	Sales------	32000	9
Chloe	Engineering	23000	9
Tom	Engineering	23000	9
Alex	Sales	30000	9
Jane	Marketing	29000	9
Jeff	Marketing	35000	9

PS, what is the expected result of query source=employees | stats sum(salary) as total_salary by dept | appendcol [ stats avg(age) as avg_age by dept ]?

@andy-k-improving
Copy link
Contributor Author

Two high level questions:

  1. appendCol command syntax is
    APPENDCOL <override=?> [sub-search]...

And the sub-search syntax is

opensearch-spark/ppl-spark-integration/src/main/antlr4/OpenSearchPPLParser.g4

Lines 27 to 29 in 957de4e

subSearch
: searchCommand (PIPE commands)*
;

Seems this PR doesn't follow the sub-search syntax.
I prefer to follow the current sub-search syntax, in case we could combine columns from different tables. for examples:
source=employees | FIELDS name, dept, salary | APPENDCOL [ search source = company | stats count() as event_count ]
But if this is intentional (appendcol only works for one table), I am okey for current syntax.
2. why the result of query source=employees | FIELDS name, dept, salary | APPENDCOL [ stats count() as event_count]
is

name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	NULL
Paul	Engineering	29000	NULL
Evan	Sales------	32000	NULL
Chloe	Engineering	23000	NULL
Tom	Engineering	23000	NULL
Alex	Sales	30000	NULL
Jane	Marketing	29000	NULL
Jeff	Marketing	35000	NULL

instead of

name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	9
Paul	Engineering	29000	9
Evan	Sales------	32000	9
Chloe	Engineering	23000	9
Tom	Engineering	23000	9
Alex	Sales	30000	9
Jane	Marketing	29000	9
Jeff	Marketing	35000	9

PS, what is the expected result of query source=employees | stats sum(salary) as total_salary by dept | appendcol [ stats avg(age) as avg_age by dept ]?

Yep, the sub-search under appendcol is restricted to use the same dataSource as the main PPL command, for the expected result, we can probably discuss it on the other thread, in order to centralise the convo.

@YANG-DB YANG-DB added Lang:PPL Pipe Processing Language support 0.7 labels Dec 19, 2024
@YANG-DB
Copy link
Member

YANG-DB commented Dec 31, 2024

Two high level questions:

  1. appendCol command syntax is
    APPENDCOL <override=?> [sub-search]...

And the sub-search syntax is

opensearch-spark/ppl-spark-integration/src/main/antlr4/OpenSearchPPLParser.g4

Lines 27 to 29 in 957de4e

subSearch
: searchCommand (PIPE commands)*
;

Seems this PR doesn't follow the sub-search syntax.
I prefer to follow the current sub-search syntax, in case we could combine columns from different tables. for examples:
source=employees | FIELDS name, dept, salary | APPENDCOL [ search source = company | stats count() as event_count ]
But if this is intentional (appendcol only works for one table), I am okey for current syntax.
2. why the result of query source=employees | FIELDS name, dept, salary | APPENDCOL [ stats count() as event_count]
is

name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	NULL
Paul	Engineering	29000	NULL
Evan	Sales------	32000	NULL
Chloe	Engineering	23000	NULL
Tom	Engineering	23000	NULL
Alex	Sales	30000	NULL
Jane	Marketing	29000	NULL
Jeff	Marketing	35000	NULL

instead of

name	dept	salary	event_count
Lisa	Sales------	10000	9
Fred	Engineering	21000	9
Paul	Engineering	29000	9
Evan	Sales------	32000	9
Chloe	Engineering	23000	9
Tom	Engineering	23000	9
Alex	Sales	30000	9
Jane	Marketing	29000	9
Jeff	Marketing	35000	9

PS, what is the expected result of query source=employees | stats sum(salary) as total_salary by dept | appendcol [ stats avg(age) as avg_age by dept ]?

Yep, the sub-search under appendcol is restricted to use the same dataSource as the main PPL command, for the expected result, we can probably discuss it on the other thread, in order to centralise the convo.

@andy-k-improving I would go with the same behaviour to match with Splunk ...

@YANG-DB
Copy link
Member

YANG-DB commented Jan 2, 2025

@andy-k-improving LGTM - please validate @LantaoJin question and respond here
thanks

andy-k-improving and others added 21 commits January 2, 2025 12:02
@andy-k-improving
Code style
e33f7ed 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Code comment
b8b1fbf 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Deprecate visit child (1)
833561b 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Minimise code diff
3c3177b 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update override logic
993e87d 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update test-cases
27c46b7 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Integ
12f7817 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Make append alias distinct
c2a6c22 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update integ for distinct tables
e2c8875 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update limitation
beddbd8 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update code style
1d06bbd 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving @currantw
Update docs/ppl-lang/ppl-appendcol-command.md
ebf4078 
Co-authored-by: Taylor Curran <[email protected]>
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving @currantw
Update docs/ppl-lang/ppl-appendcol-command.md
03dfcfb 
Co-authored-by: Taylor Curran <[email protected]>
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving @currantw
Update docs/ppl-lang/ppl-appendcol-command.md
f85405f 
Co-authored-by: Taylor Curran <[email protected]>
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update readme
5030f0c 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Mark var as final
7d2c36a 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update join type
c5a6649 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update unit tests
2b36884 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update existing integ test for full outer
e1c7fc4 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Test cases for null
2fdbadd 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update scalafmt
d6a29fb 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving andy-k-improving force-pushed the ft-ak-command-appendcol branch from c44d1b6 to d6a29fb Compare January 3, 2025 00:35
@andy-k-improving andy-k-improving mentioned this pull request Jan 3, 2025
Open
LantaoJin
LantaoJin requested changes Jan 3, 2025
View reviewed changes
docs/ppl-lang/ppl-appendcol-command.md
* sub-search: Executes PPL commands as a secondary search. The sub-search uses the same data specified in the source clause of the main search results as its input.


#### Example 1: To append the result of `stats avg(age) as AVG_AGE` into existing search result
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to add an additional example here and a test in IT, which is the most commonly used scenario for the AppenCol command:
source=employees | stats avg(age) as avg_age1 by dept | APPENDCOL [ stats avg(age) as avg_age2 by dept ]
The result should look like

dept             avg_age1 avg_age2
Sales            35.3333  35.3333
Engineering      27.25    27.25
Marketing        33       33

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if above comment addressed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides, please update https://github.com/opensearch-project/opensearch-spark/blob/main/docs/ppl-lang/PPL-Example-Commands.md as well.

@andy-k-improving
Update doc
45a22d2 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Update doc
0c8e3d1 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Multiple avg commands
820df4e 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Multiple avg commands
bf5b73a 
Signed-off-by: Andy Kwok <[email protected]>
@andy-k-improving
Remove debug
bcfef7a 
Signed-off-by: Andy Kwok <[email protected]>
LantaoJin
LantaoJin reviewed Jan 4, 2025
View reviewed changes
docs/ppl-lang/ppl-appendcol-command.md

PPL query:

os> source=employees | stats avg(age) as avg_age1 by dept | fields dept, avg_age1 | APPENDCOL [ stats avg(age) as avg_age2 by dept | fields avg_age2 ];
Copy link
Member

@LantaoJin LantaoJin Jan 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens without | fields avg_age2? @andy-k-improving

In Splunk, command source=employees | stats avg(age) as avg_age1 by dept | APPENDCOLS [ stats avg(age) as avg_age2 by dept ] could display the same outputs. Does current implementation have to add those fields to get the same outputs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@currantw currantw currantw left review comments

@LantaoJin LantaoJin LantaoJin requested changes

@YANG-DB YANG-DB YANG-DB approved these changes

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@seankao-az seankao-az Awaiting requested review from seankao-az seankao-az is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@kaituo kaituo Awaiting requested review from kaituo kaituo is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
0.7 Lang:PPL Pipe Processing Language support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[PPL-Lang]add appendcol ppl command
4 participants
@andy-k-improving @LantaoJin @YANG-DB @currantw