Improve log analytics and data distribution context prompt (#248)

FriedhelmWS · web-flow · commit e1a90c0ca12a · 2025-12-15T13:02:06.000+08:00
Signed-off-by: Owen Wang &lt;owenwyk@amazon.com&gt;
diff --git a/public/components/notebooks/components/data_distribution/data_distribution_container.tsx b/public/components/notebooks/components/data_distribution/data_distribution_container.tsx
@@ -47,7 +47,7 @@ export const DataDistributionContainer = ({
   paragraphState: ParagraphState<AnomalyVisualizationAnalysisOutputResult>;
 }) => {
   const {
-    services: { embeddable, paragraphService },
+    services: { notifications, embeddable, paragraphService },
   } = useOpenSearchDashboards<NoteBookServices>();
   const context = useContext(NotebookReactContext);
   const topContextValue = useObservable(
@@ -61,6 +61,7 @@ export const DataDistributionContainer = ({
   const { saveParagraph } = context.paragraphHooks;
   const [activePage, setActivePage] = useState(0);
   const [distributionModalExpand, setDistributionModalExpand] = useState(false);
+  const [isUpdatingParagraph, setIsUpdatingParagraph] = useState(false);
   const factory = embeddable.getEmbeddableFactory<DataDistributionInput>('vega_visualization');
   const paragraphRegistry = paragraphService?.getParagraphRegistry(
     DATA_DISTRIBUTION_PARAGRAPH_TYPE
@@ -170,17 +171,30 @@ export const DataDistributionContainer = ({
             iconType={isSelected ? 'crossInCircleEmpty' : 'checkInCircleEmpty'}
             color="text"
             style={{ height: '16px', width: '16px' }}
+            isDisabled={isUpdatingParagraph}
             onClick={async () => {
-              const updatedFieldComparison = [...fieldComparison];
-              updatedFieldComparison[chartIndex] = {
-                ...fieldComparison[chartIndex],
-                excludeFromContext: !isSelected,
-              };
-              await saveParagraph({
-                paragraphStateValue: ParagraphState.updateOutputResult(paragraph, {
-                  fieldComparison: updatedFieldComparison || [],
-                }),
-              });
+              try {
+                setIsUpdatingParagraph(true);
+
+                const updatedFieldComparison = [...fieldComparison];
+                updatedFieldComparison[chartIndex] = {
+                  ...fieldComparison[chartIndex],
+                  excludeFromContext: !isSelected,
+                };
+                await saveParagraph({
+                  paragraphStateValue: ParagraphState.updateOutputResult(paragraph, {
+                    fieldComparison: updatedFieldComparison || [],
+                  }),
+                });
+              } catch (err) {
+                notifications.toasts.addDanger(
+                  i18n.translate('notebook.data.distribution.paragraph.error', {
+                    defaultMessage: 'Error updating paragraph',
+                  })
+                );
+              } finally {
+                setIsUpdatingParagraph(false);
+              }
             }}
             aria-label={isSelected ? 'Exclude from the results' : 'Select from the results'}
           />
@@ -235,7 +249,7 @@ export const DataDistributionContainer = ({
                   uniqueId={uniqueId}
                   chartIndex={chartIndex}
                   isSelected={isSelected}
-                  spec={spec}
+                  spec={spec as any}
                 />
               );
             })}
diff --git a/public/components/notebooks/components/hypothesis/reinvestigate_modal.tsx b/public/components/notebooks/components/hypothesis/reinvestigate_modal.tsx
@@ -11,12 +11,12 @@ import {
   EuiModalHeaderTitle,
   EuiModalBody,
   EuiFormRow,
-  EuiFieldText,
   EuiSpacer,
   EuiSwitch,
   EuiModalFooter,
   EuiButton,
   EuiSuperDatePicker,
+  EuiTextArea,
 } from '@elastic/eui';
 import moment from 'moment';
 import dateMath from '@elastic/datemath';
@@ -84,7 +84,7 @@ export const ReinvestigateModal: React.FC<ReinvestigateModalProps> = ({
         </EuiModalHeader>
         <EuiModalBody>
           <EuiFormRow label="Edit initial goal">
-            <EuiFieldText value={value} onChange={(e) => setValue(e.target.value)} required />
+            <EuiTextArea value={value} onChange={(e) => setValue(e.target.value)} required />
           </EuiFormRow>
           {!!timeRange && (
             <>
diff --git a/public/components/notebooks/components/log_analytics/components/log_insight.tsx b/public/components/notebooks/components/log_analytics/components/log_insight.tsx
@@ -22,12 +22,14 @@ import { LogAnalyticsLoadingPanel } from './log_analytics_loading_panel';
 interface LogInsightProps {
   logInsights: LogPattern[];
   isLoadingLogInsights: boolean;
+  disableExclude?: boolean;
   onExclude?: (item: LogPattern) => void;
 }
 
 export const LogInsight: React.FC<LogInsightProps> = ({
   logInsights,
   isLoadingLogInsights,
+  disableExclude,
   onExclude,
 }) => {
   const [openPopovers, setOpenPopovers] = useState<{ [key: string]: boolean }>({});
@@ -114,6 +116,7 @@ export const LogInsight: React.FC<LogInsightProps> = ({
                   aria-label="Deselect item"
                   onClick={() => onExclude(record)}
                   color="subdued"
+                  isDisabled={disableExclude}
                 />
               </EuiToolTip>
             ),
diff --git a/public/components/notebooks/components/log_analytics/components/log_sequence.tsx b/public/components/notebooks/components/log_analytics/components/log_sequence.tsx
@@ -22,13 +22,15 @@ interface LogSequenceProps {
   baselineSequences?: LogSequenceEntry[];
   isLoadingLogSequence: boolean;
   isNotApplicable: boolean;
+  disableExclude?: boolean;
   onExclude?: (item: LogSequenceEntry) => void;
 }
 
 export const LogSequence: React.FC<LogSequenceProps> = ({
   exceptionalSequences,
   isLoadingLogSequence,
   isNotApplicable,
+  disableExclude,
   onExclude,
 }) => {
   // Columns for sequence entries table
@@ -85,6 +87,7 @@ export const LogSequence: React.FC<LogSequenceProps> = ({
                   aria-label="Deselect item"
                   onClick={() => onExclude(record)}
                   color="subdued"
+                  isDisabled={disableExclude}
                 />
               </EuiToolTip>
             ),
diff --git a/public/components/notebooks/components/log_analytics/components/pattern_difference.tsx b/public/components/notebooks/components/log_analytics/components/pattern_difference.tsx
@@ -24,6 +24,7 @@ interface PatternDifferenceProps {
   patternMapDifference: LogPattern[];
   isLoadingPatternMapDifference: boolean;
   isNotApplicable: boolean;
+  disableExclude?: boolean;
   onExclude?: (item: LogPattern) => void;
 }
 
@@ -78,6 +79,7 @@ export const PatternDifference: React.FC<PatternDifferenceProps> = ({
   patternMapDifference,
   isLoadingPatternMapDifference,
   isNotApplicable,
+  disableExclude,
   onExclude,
 }) => {
   // Columns for pattern difference table
@@ -164,6 +166,7 @@ export const PatternDifference: React.FC<PatternDifferenceProps> = ({
                   aria-label="Deselect item"
                   onClick={() => onExclude(record)}
                   color="subdued"
+                  isDisabled={disableExclude}
                 />
               </EuiToolTip>
             ),
diff --git a/public/components/notebooks/components/log_analytics/log_pattern_container.tsx b/public/components/notebooks/components/log_analytics/log_pattern_container.tsx
@@ -104,10 +104,12 @@ export const LogPatternContainer: React.FC<LogPatternContainerProps> = ({ paragr
   // Save results when needed
   useEffect(() => {
     if (paragraphRef.current && resultChanged) {
-      saveParagraph({
-        paragraphStateValue: ParagraphState.updateOutputResult(paragraphRef.current, result),
-      });
-      setResultChanged(false);
+      (async () => {
+        await saveParagraph({
+          paragraphStateValue: ParagraphState.updateOutputResult(paragraphRef.current!, result),
+        });
+        setResultChanged(false);
+      })();
     }
   }, [result, resultChanged, saveParagraph]);
 
@@ -159,6 +161,7 @@ export const LogPatternContainer: React.FC<LogPatternContainerProps> = ({ paragr
       <LogInsight
         logInsights={result?.logInsights || []}
         isLoadingLogInsights={loadingStatus.isLoadingLogInsights}
+        disableExclude={!!resultChanged}
         onExclude={handleLogInsightExclude}
       />
       <EuiSpacer size="s" />
@@ -167,6 +170,7 @@ export const LogPatternContainer: React.FC<LogPatternContainerProps> = ({ paragr
         patternMapDifference={result?.patternMapDifference || []}
         isLoadingPatternMapDifference={loadingStatus.isLoadingPatternMapDifference}
         isNotApplicable={!processedContext?.timeRange?.baselineFrom}
+        disableExclude={!!resultChanged}
         onExclude={handlePatternDifferenceExclude}
       />
       <EuiSpacer size="s" />
@@ -180,6 +184,7 @@ export const LogPatternContainer: React.FC<LogPatternContainerProps> = ({ paragr
             processedContext.indexInsight?.trace_id_field
           )
         }
+        disableExclude={!!resultChanged}
         onExclude={handleLogSequenceExclude}
       />
     </EuiPanel>
diff --git a/public/paragraphs/data_distribution.ts b/public/paragraphs/data_distribution.ts
@@ -17,18 +17,86 @@ import { getNotifications } from '../services';
 export const DataDistributionParagraphItem: ParagraphRegistryItem<AnomalyVisualizationAnalysisOutputResult> = {
   ParagraphComponent: DataDistributionContainer,
   getContext: async (paragraph) => {
-    const selectedFieldComparison = paragraph?.output?.[0]?.result?.fieldComparison?.filter(
-      (item) => !item.excludeFromContext
+    const allFieldComparison = paragraph?.output?.[0]?.result?.fieldComparison || [];
+    const selectedFieldComparison = allFieldComparison.filter((item) => !item.excludeFromContext);
+
+    const hasBaseline = selectedFieldComparison.some((f) =>
+      f.topChanges.some((c) => c.baselinePercentage !== undefined)
     );
-    return ` ## Data Distribution Analysis Results
 
-### Step description
-This step calculate fields' distribution and find the outlines between baselineTimeRange and selectionTimeRange.
-These statistical deviations highlight potential areas of concern that may explain the underlying issue.
+    const methodologyText = hasBaseline
+      ? `Compares field value distributions between baseline and selection periods:
+- Analyzes categorical fields (keyword, boolean, text) and numeric fields (grouped into ranges)
+- Calculates percentage distribution for each field value
+- Ranks fields by divergence score (maximum percentage point shift between periods)`
+      : `Analyzes field value distributions in the selected time period:
+- Examines categorical fields (keyword, boolean, text) and numeric fields (grouped into ranges)
+- Calculates percentage distribution for each field value
+- Shows fields with highest cardinality and most significant values`;
+
+    const guidelinesText = hasBaseline
+      ? `**PRIMARY EVIDENCE**: Use divergence scores and distribution shifts as concrete evidence.
+
+**Priority**: 
+- [CRITICAL] divergence >30%: Severe behavioral change
+- [HIGH] divergence >15%: Significant change requiring investigation  
+- [MEDIUM] divergence >5%: Notable change worth examining
+
+**Investigation Strategy**:
+1. Start with highest divergence fields - these show the strongest anomalies
+2. Look for correlated changes across multiple fields (e.g., error_code + status_code + response_time)
+3. Examine topChanges for each field to identify which specific values shifted
+4. Quantify impact using baseline → selection percentages
+5. Cross-reference with log patterns to validate hypotheses`
+      : `**PRIMARY EVIDENCE**: Use field distributions to understand data characteristics.
+
+**Investigation Strategy**:
+1. Look for error-related fields (status_code, error_code, level, severity) with high error percentages
+2. Examine fields with concentrated distributions (>80% in single value) - may indicate systemic issues
+3. Check topChanges to identify dominant field values that correlate with problems
+4. Cross-reference field values with log patterns to identify root causes`;
+
+    const formatFieldData = () => {
+      if (selectedFieldComparison.length === 0) return 'No field data available.';
+
+      return selectedFieldComparison
+        .map((field, i) => {
+          const changes = field.topChanges
+            .map((c) => {
+              if (c.baselinePercentage !== undefined) {
+                return `  - "${c.value}": ${c.baselinePercentage.toFixed(
+                  1
+                )}% → ${c.selectionPercentage.toFixed(1)}%`;
+              }
+              return `  - "${c.value}": ${c.selectionPercentage.toFixed(1)}%`;
+            })
+            .join('\n');
+
+          if (hasBaseline) {
+            return `[${i + 1}] Field: ${field.field}\n  Divergence: ${(
+              field.divergence * 100
+            ).toFixed(1)}%\n  Top Values:\n${changes}`;
+          }
+          return `[${i + 1}] Field: ${field.field}\n  Top Values:\n${changes}`;
+        })
+        .join('\n\n');
+    };
+
+    return `## Data Distribution Analysis
+
+### Methodology
+${methodologyText}
+
+### Field Data
+${formatFieldData()}
+
+### Analysis Guidelines
+${guidelinesText}
 
-### Step result:
-Anomaly detection has been performed on the data and the analysis identified anomalies in the following fields:
-${JSON.stringify(selectedFieldComparison)}.
+**Query Construction**:
+- Use field names and top values to build targeted queries
+- Filter by high-percentage values to focus on dominant behaviors
+- Combine multiple fields to narrow down root cause
     `;
   },
   runParagraph: async ({ paragraphState, notebookStateValue }) => {
diff --git a/public/paragraphs/log_analytics.ts b/public/paragraphs/log_analytics.ts
